Query Details
User Right Assigned
Query
Use Case: Identifying and analyzing security-related events, specifically the enabling of a user's right to perform privileged tasks, within the last 7 days in a Windows environment.
Query:
WindowsEvent('Security', 7d)
| where tostring(EventId) == '4704'Explanation
The query is looking for security-related events in a Windows environment that occurred within the last 7 days. Specifically, it is filtering for events where a user's right to perform privileged tasks was enabled.
Details
Ugur Koc
Released: February 4, 2024
Tables
WindowsEvent
Keywords
WindowsEvent,Security,EventId
Operators
| where EventID == 4704