Query Details
Remote Logon
Query
//Accounts that logged on remotely to specified computer, and how many times search in (SecurityEvent) EventID == 4624 and (LogonTypeName == "3 - Network" or LogonTypeName == "10 - RemoteInteractive") and Computer == "<yourcomputername>" | summarize RemoteLogonCount = count() by Account
Explanation
This query searches for accounts that have logged on remotely to a specific computer and counts how many times they have done so.
Details
Rod Trent
Released: May 25, 2021
Tables
SecurityEvent
Keywords
Accounts,Remotely,Computer,LogonTypeName,SecurityEvent,EventID,RemoteInteractive,Network,YourComputerName,Summarize,RemoteLogonCount,Count
Operators
searchinEventID==4624andLogonTypeName=="3 - Network"orLogonTypeName=="10 - RemoteInteractive"andComputer=="<yourcomputername>"|summarizeRemoteLogonCount=count()byAccount.