KQL Search

Query Details

HomeAI ToolsDevice Query

Domain Admins Enterprise Admins

Query

//New Domain Admins and Enterprise Admins

Event
| where TimeGenerated > ago(7d)
| extend eventData=parse_json(EventData)
| project TimeGenerated, Computer, EventID, eventData.MemberName, eventData.SubjectDomainName, eventData.SubjectUserName, eventData.TargetUserName
| where eventData_TargetUserName == "Domain Admins" or eventData_TargetUserName == "Enterprise Admins"

Explanation

This query looks for events that occurred in the last 7 days and retrieves information about new domain admins and enterprise admins. It includes the time the event was generated, the computer involved, the event ID, the member name, the subject domain name, the subject username, and the target username. It filters the results to only include events where the target username is either "Domain Admins" or "Enterprise Admins".

Details

Rod Trent profile picture

Rod Trent

Released: March 25, 2021

Tables

Event

Keywords

Event,TimeGenerated,Computer,EventID,eventData,MemberName,SubjectDomainName,SubjectUserName,TargetUserName

Operators

whereextendparse_jsonprojector==

Actions