Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
This query displays a descending list of the amount of events ingested per EventId for Security-Auditing.
SecurityEvent
| where EventSourceName == "Microsoft-Windows-Security-Auditing"
| summarize EventCount = count() by EventID
| sort by EventCount desc
Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution
List all accounts that logged on using a clear-text password over the last day.
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4624 // event ID 4624: "an account was successfully logged on",
| where LogonType == 8 // logon type 8: "NetworkCleartext"
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution
Find reports of Windows accounts that failed to login.
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution
Security activities sorted by time (newest first).
SecurityEvent
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc
Security activities on a specific device sorted by time (newest first).
SecurityEvent
//| where Computer == "COMPUTER01.contoso.com" // Replace with a specific computer name
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc
Security activities on a specific device for administrator sorted by time (newest first).
SecurityEvent
//| where Computer == "COMPUTER01.contoso.com" // Replace with a specific computer name
| where TargetUserName == "Administrator"
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc
Counts logon activities per device.
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer
Counts logon activities per devices with more than 10 logons.
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer
| where LogonCount > 10
Accounts which terminated Microsoft Antimalware.
SecurityEvent
| where EventID == 4689
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Account
Devices which terminated Microsoft Antimalware.
SecurityEvent
| where EventID == 4689
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Computer
Devices where hash.exe was executed more than 5 times.
SecurityEvent
| where EventID == 4688
| where Process has "hash.exe" or ParentProcessName has "hash.exe"
| summarize ExecutionCount = count() by Computer
| where ExecutionCount > 5
Lists number of executions per process.
SecurityEvent
| where EventID == 4688
| summarize ExecutionCount = count() by NewProcessName
Devices with securtiy log cleared.
SecurityEvent
| where EventID == 1102
| summarize LogClearedCount = count() by Computer
Logon activity by account.
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account
Logon activity for accounts with less than 5 logons.
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account
| where LogonCount < 5
Remoted logged accounts on a specific device.
SecurityEvent
| where EventID == 4624 and (LogonTypeName == "3 - Network" or LogonTypeName == "10 - RemoteInteractive")
//| where Computer == "Computer01.contoso.com" // Replace with a specific computer name
| summarize RemoteLogonCount = count() by Account
Computers with logons from guest accounts.
SecurityEvent
| where EventID == 4624 and TargetUserName == 'Guest' and LogonType in (10, 3)
| summarize count() by Computer
Members added to the security enabled groups.
SecurityEvent
| where EventID in (4728, 4732, 4756)
| summarize count() by SubjectAccount
Counts events of domain policy changed.
SecurityEvent
| where EventID == 4739
| summarize count() by DomainPolicyChanged
System audit policy changed events by computer.
SecurityEvent
| where EventID == 4719
| summarize count() by Computer
Lists suspicious executables.
SecurityEvent
| where EventID == 8002 and Fqbn == '-'
| summarize ExecutionCountHash=count() by FileHash
| where ExecutionCountHash <= 5
Logons with clear text password by target account.
SecurityEvent
| where EventID == 4624 and LogonType == 8
| summarize count() by TargetAccount
Computers with cleaned event logs.
SecurityEvent
| where EventID in (1102, 517) and EventSourceName == 'Microsoft-Windows-Eventlog'
| summarize count() by Computer
Counts failed logons by target account.
SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount
Counts locked acounts by target account.
SecurityEvent
| where EventID == 4740
| summarize count() by TargetAccount
Counts change/reset paswords attempts per target account.
SecurityEvent
| where EventID in (4723, 4724)
| summarize count() by TargetAccount
Groups created or modified per target account.
SecurityEvent
| where EventID in (4727, 4731, 4735, 4737, 4754, 4755)
| summarize count() by TargetAccount
Counts remote procedure call attempts per computer.
SecurityEvent
| where EventID == 5712
| summarize count() by Computer
Counts user account changes per target account.
SecurityEvent
| where EventID in (4720, 4722)
| summarize by TargetAccount