Query Details
Security Event Logon To Device List Changed
Query
//Alert when the 'Log on to' device list is changed for a user
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| where EventID == 4738
| where AccountType == "User"
//Include domain accounts only (excluding local accounts)
| where TargetDomainName == SubjectDomainName
| extend ['Allowed Devices'] = case(isnotempty(UserWorkstations) and UserWorkstations != "-" and UserWorkstations != "%%1793", split(UserWorkstations, ","),
(isnotempty(UserWorkstations) and UserWorkstations == "%%1793"), strcat("User can log onto all devices"),
"unknown")
//Exclude other 4738 events where the device list isn't changed
| where ['Allowed Devices'] != "unknown"
| project TimeGenerated, Actor=SubjectAccount, User=TargetAccount, ['Allowed Devices']Explanation
This query looks for security events where a user's 'Log on to' device list has been changed. It filters for events with EventID 4738 and AccountType "User". It also includes only domain accounts and excludes local accounts. The query then extends the results to include a column called 'Allowed Devices' which indicates the devices the user is allowed to log onto. It excludes events where the device list hasn't changed and projects the time the event was generated, the actor (who made the change), the user (whose device list was changed), and the 'Allowed Devices' column.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
Devices,Intune,User
Operators
where==|isnotempty!=andextendcasesplitstrcatproject