Query Details
Top Remote Logons
Query
DeviceLogonEvents // fetch logon counts | where LogonType == "RemoteInteractive" | summarize DevicesAccessed = make_set(DeviceName) by AccountName, AccountDomain, AccountSid, IsLocalAdmin | where IsLocalAdmin != "" // a few duplicates with no IsLocalAdmin value, not sure why | extend TotalDevices = array_length(DevicesAccessed) | where TotalDevices > 1 // add identity context | join IdentityInfo on $left.AccountSid == $right.OnPremSid // deduplicate | distinct AccountName, JobTitle, tostring(IsLocalAdmin), AccountDomain, tostring(DevicesAccessed), TotalDevices // sort | sort by TotalDevices, IsLocalAdmin
Explanation
This query fetches logon counts for remote interactive logons from the DeviceLogonEvents table. It then groups the logons by account name, account domain, account SID, and whether the account is a local admin. It filters out any logons without a value for the IsLocalAdmin field. The query then calculates the total number of devices accessed by each account and filters out accounts that have accessed only one device.
Next, it adds identity context by joining with the IdentityInfo table using the account SID. It removes any duplicate rows from the result. Finally, it sorts the result by the total number of devices accessed and the IsLocalAdmin field.
Details
C.J. May
Released: May 16, 2023
Tables
DeviceLogonEvents
IdentityInfo
Keywords
DeviceLogonEvents,LogonType,RemoteInteractive,AccountName,AccountDomain,AccountSid,IsLocalAdmin,DevicesAccessed,TotalDevices,IdentityInfo,OnPremSid,JobTitle
Operators
| where=="RemoteInteractive"summarizemake_setbywhere!=""extendarray_lengthwhere>1joinon$left.AccountSid==$right.OnPremSiddistinctAccountNameJobTitletostringAccountDomaintostringTotalDevicessortbyTotalDevicesIsLocalAdmin