KQL Search

This query is designed to track changes in the operating system names of computer objects within Active Directory. Here's a simple breakdown of what the query does:

1. Data Source: It starts by looking at events from IdentityDirectoryEvents.

2. Filter: It filters the events to only include those where the action type is "Device Operating System changed". This means it's specifically interested in events where a computer's operating system name has been updated.

3. Extract Information:

   • It extracts the previous and new operating system names from the AdditionalFields column, storing them as FROMDeviceOperatingSystem and TODeviceOperatingSystem.

4. Select Columns: It selects the following columns to display:

   • TimeGenerated: The time when the change was recorded.
   • TargetDeviceName: The name of the computer whose operating system name changed.
   • FROMDeviceOperatingSystem: The old operating system name.
   • TODeviceOperatingSystem: The new operating system name.

5. Summarize: It summarizes the data to show the most recent operating system name change for each computer. This is done using arg_max(TimeGenerated, *), which ensures that only the latest change for each TargetDeviceName is displayed.

In summary, this query helps identify and display the most recent operating system name changes for computers in Active Directory, showing what the name changed from and to, along with the time of the change.