Query Details
Device Create Setof Local Adminsper Device
Query
// Searches device info table for non server operating systems then return any users who have logged on interactively as an admin as a set per device. Can add exclusions for known IT admin accounts
//Data connector required for this query - M365 Defender - Device* tables
let devices=
DeviceInfo
| where TimeGenerated > ago(30d)
| where OSPlatform !contains "Server"
| summarize arg_max(TimeGenerated, *) by DeviceName
| project DeviceName;
DeviceLogonEvents
| where LogonType == "Interactive"
| where IsLocalAdmin == true
| join kind=inner devices on DeviceName
| where AccountName !contains "admin"
| summarize make_set(AccountName) by DeviceNameExplanation
This query searches for non-server operating systems in the device info table and returns a set of users who have logged on interactively as an admin for each device. It can also exclude known IT admin accounts. The query requires a data connector for M365 Defender's Device* tables.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceInfoDeviceLogonEvents
Keywords
DeviceLogonEvents,Interactive,IsLocalAdmin,AccountName,DeviceName
Operators
where!containssummarizearg_maxproject|==joinkind=innerwhere!containssummarizemake_setby