Query Details
Device Summarize Local Group Additions
Query
//Summarize the total count of all local group additions by group name //Data connector required for this query - M365 Defender - Device* tables DeviceEvents | where TimeGenerated > ago (30d) | where ActionType == "UserAccountAddedToLocalGroup" | summarize ['Local Group Addition Count']=count() by ['Local Group Name']=tostring(AdditionalFields.GroupName) | sort by ['Local Group Addition Count']
Explanation
This query summarizes the total count of local group additions by group name. It uses the M365 Defender - Device* tables as the data source. It filters the DeviceEvents table to include events that occurred within the last 30 days and have an ActionType of "UserAccountAddedToLocalGroup". Then, it calculates the count of these events and groups them by the local group name. Finally, the results are sorted by the count of local group additions in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,TimeGenerated,ActionType,UserAccountAddedToLocalGroup,LocalGroupAdditionCount,LocalGroupName,AdditionalFields.GroupName
Operators
where>ago==summarizecount()bytostring()sort by