Query Details
Query Recent Windows System Event Logs
Query
Author: Niklas Tinner (@NiklasTinner)
Use Case: Monitoring and analyzing recent service start events within the last hour on a Windows system for security or operational efficiency purposes.
WindowsEvent('System', 1h)
| where EventId == 3 // look up only event ID 3 (Service Started)
| order by LoggedDateTime descExplanation
This query is used to monitor and analyze service start events on a Windows system within the last hour. It specifically looks for events with ID 3, which indicate that a service has started. The results are then ordered by the time they were logged, with the most recent events appearing first.
Details
Ugur Koc
Released: February 4, 2024
Tables
WindowsEvent
Keywords
WindowsEvent,System,EventId,Service,Started,LoggedDateTime
Operators
WindowsEventwhereEventId==order byLoggedDateTimedesc