Query Details
Net Logon Patch Compliance
Query
//Choose which to track (compliance or non-compliance) and remove the comment //Based on https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc SecurityEvent | join Heartbeat on Computer //| where EventID == "5829" //Tracking NetLogon Non-Compliance //| where EventID == "5827" or EventID == "5828" //Tracking NetLogon Compliance | distinct Computer, OSType, OSMajorVersion, Version
Explanation
This query is used to track either compliance or non-compliance of NetLogon secure channel connections. It retrieves security events and joins them with heartbeat data based on the computer. The query then selects distinct computer names, operating system type, major version, and version.
Details
Rod Trent
Released: September 23, 2020
Tables
SecurityEvent
Heartbeat
Keywords
SecurityEvent,Heartbeat,Computer,EventID,NetLogon,Non-Compliance,Compliance,distinct,OSType,OSMajorVersion,Version
Operators
joinwheredistinct