Query Details
Restart Shutdowns Last7days
Query
// List restart and shutdowns events for the last 7 days for all agented computers. Event | where TimeGenerated > ago(7d) | where EventLog == "System" and Source == "User32" and EventID == 1074 | search "shutdown" | sort by TimeGenerated desc | project TimeGenerated, Computer
Explanation
This query retrieves a list of restart and shutdown events that occurred in the last 7 days for all computers with agents. It filters the events based on specific criteria such as the event log, source, and event ID. It then searches for events containing the word "shutdown" and sorts the results by the time they were generated. Finally, it projects the time the event was generated and the computer name.
Details
Rod Trent
Released: October 16, 2020
Tables
Event
Keywords
Event,TimeGenerated,Computer
Operators
whereagoand==searchsort byproject