KQL Search

Query Details

HomeAI ToolsDevice Query

Windows10logged In Last7days

Query

//Shows the Windows 10 computers that have logged in over the last 7 days

let nonInteractive = AADNonInteractiveUserSignInLogs | extend LocationDetails = parse_json(LocationDetails), Status = parse_json(Status), DeviceDetail = parse_json(DeviceDetail);
union SigninLogs,nonInteractive
    | extend errorCode = Status.errorCode
    | extend SigninStatus = case(errorCode == 0, "Success", errorCode == 50058, "Pending user action", errorCode == 50140, "Pending user action", errorCode == 51006, "Pending user action", errorCode == 50059, "Pending user action", errorCode == 65001, "Pending user action", errorCode == 52004, "Pending user action", errorCode == 50055, "Pending user action", errorCode == 50144, "Pending user action", errorCode == 50072, "Pending user action", errorCode == 50074, "Pending user action", errorCode == 16000, "Pending user action", errorCode == 16001, "Pending user action", errorCode == 16003, "Pending user action", errorCode == 50127, "Pending user action", errorCode == 50125, "Pending user action", errorCode == 50129, "Pending user action", errorCode == 50143, "Pending user action", errorCode == 81010, "Pending user action", errorCode == 81014, "Pending user action", errorCode == 81012, "Pending user action", "Failure")
| where TimeGenerated >= (7d)
| extend Os = tostring(DeviceDetail.operatingSystem)
| extend Computer = tostring(DeviceDetail.displayName)
| where SigninStatus == "Success"
| where Os == "Windows10"
| where isnotempty(Computer)
| summarize count() by Computer

Explanation

This query shows the Windows 10 computers that have successfully logged in over the last 7 days. It filters the sign-in logs to only include successful sign-ins with Windows 10 operating systems and non-empty computer names. The query then counts the number of sign-ins for each computer.

Details

Rod Trent profile picture

Rod Trent

Released: November 4, 2021

Tables

AADNonInteractiveUserSignInLogsSigninLogs

Keywords

Devices,Intune,User

Operators

extendunionparse_jsoncasewhereextendextendwherewherewhereisnotemptysummarizeby

Actions