KQL Search

Query Details

Adminskql

Query

WindowsEvent
| where TimeGenerated > ago(7d)
| extend eventData-parse_json(Data)
| project  TimeGenerated,  Computer,  EventID,  Data.MemberName,  Data.SubjectDomainName,  Data.SubjetUserName,  Data.TargetUserName
| where Data_TargetUserName == "Domain Admins" or Data_TargetUserName == "Enterprise Admins"

Explanation

This query retrieves Windows events that occurred within the last 7 days. It then extracts specific data from the events, including the time it was generated, the computer name, event ID, and certain user names. Finally, it filters the results to only include events where the target user name is either "Domain Admins" or "Enterprise Admins".

Details

Rod Trent

Released: March 26, 2020

Tables

WindowsEvent

Keywords

WindowsEvent,TimeGenerated,Computer,EventID,Data.MemberName,Data.SubjectDomainName,Data.SubjetUserName,Data.TargetUserName,Data_TargetUserName,DomainAdmins,EnterpriseAdmins

Operators

|where>agoextendparse_jsonproject==or

KQL Search

Adminskql

Query

Explanation

Details

Actions