Query Details
Sec Events Summarize Logon Events
Query
//Create a summary of interactive and remote interactive (RDP) logons to your Windows devices using the security event logs
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| where TimeGenerated > ago (30d)
| where EventID == "4624"
| where LogonType in ("2", "10")
//Search for just domain logon events but matching subject and target domain name fields
| where SubjectDomainName == TargetDomainName
| summarize
['Interactive logon count']=countif(LogonType == 2),
['Interactive distinct logon count']=dcountif(Account, LogonType == 2),
['List of interactive logons']=make_set_if(Account, LogonType == 2),
['Remote interactive logon count']=countif(LogonType == 10),
['Remote interactive distinct logon count']=dcountif(Account, LogonType == 10),
['List of remote interactive logons']=make_set_if(Account, LogonType == 10)
by Computer
| sort by Computer asc Explanation
This query summarizes the number of interactive and remote interactive (RDP) logons to Windows devices using the security event logs. It filters the events based on a specific time range and event ID. It then counts the number of interactive and remote interactive logons, as well as the distinct logons for each type. It also creates a list of the accounts involved in these logons. The results are grouped by computer and sorted in ascending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
SecurityEvent,TimeGenerated,EventID,LogonType,SubjectDomainName,TargetDomainName,Account,Computer
Operators
where>ago==inwherewhere====summarizecountifdcountifmake_set_ifcountifdcountifmake_set_ifbysort by asc