Query Details
System Time Changed
Query
Use Case: Identifying instances of system time changes for security auditing within the last 7 days.
Query:
WindowsEvent('Security', 7d)
| where tostring(EventId) == '4616'Explanation
The query is looking for instances of system time changes in the security logs of Windows events that have occurred within the last 7 days. It filters the results to only include events with the EventId of 4616.
Details
Ugur Koc
Released: February 4, 2024
Tables
WindowsEvent
Keywords
WindowsEvent,Security,EventId
Operators
|wheretostring==