Query Details
Security Event Summarize Privileges Assignedon Logon
Query
//Create a summary of your computers and the accounts that have logged on with special privileges over the last 30 days
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| where TimeGenerated > ago (30d)
| project TimeGenerated, EventID, Account, AccountType, PrivilegeList, Computer
| where EventID == "4672"
| where Account != "NT AUTHORITY\\SYSTEM" and Account !has "Window Manager"
| where AccountType == "User"
//The privilege list is stored in a string of text that we need to split
| extend Privs=extract_all(@"Se(.*?)Privilege", PrivilegeList)
//Once we retrieve the privileges from the string of text we can recreate the proper naming
| mv-expand Privs
| extend Privilege=strcat('Se', Privs, 'Privilege')
| project TimeGenerated, Account, Computer, Privilege
| summarize ['List of Privileges']=make_set(Privilege) by Computer, Account
| sort by Computer asc Explanation
This query retrieves a summary of computers and the accounts that have logged on with special privileges in the last 30 days. It filters the Windows Security Events data, selects specific columns, and applies various conditions to exclude certain accounts. It then extracts and expands the privilege information, renames the privileges, and finally summarizes the data by computer and account, displaying a list of privileges for each combination. The results are sorted by computer in ascending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
Devices,Intune,User
Operators
whereprojectwherewherewhereextendmv-expandextendprojectsummarizesort