Forum Discussion

yashsedani's avatar
yashsedani
Brass Contributor
Feb 12, 2020

Log Analytics Query for computer last login/active date and time

Hi,   I am looking for a query where I can get last login/active date and time for computers in a separate column.   I am already using the below query for windows update   WaaSDeploymentStatu...
azure monitor
Custom Logs and Custom Fields
CliveWatson's avatar
CliveWatson
Former Employee
Feb 12, 2020

yashsedani 

 

That table doesn't contain that data, so are you looking for a JOIN to a table that does, something like 

WaaSDeploymentStatus
| where UpdateCategory == "Quality" and TimeGenerated > ago(60d)
| summarize updateInfo = arg_max(ReleaseName, DeploymentStatus, DetailedStatus, DetailedStatusLevel, ExpectedInstallDate) by Computer
| join  (
SecurityEvent
| where EventID == 4624  // 4624 - An account was successfully logged on 
| summarize  LastHeatbeat = arg_max(TimeGenerated, *) by Computer
) on Computer
| project updateInfo , LastHeatbeat

 

yashsedani's avatar
yashsedani
Brass Contributor
Feb 12, 2020

CliveWatson 

I see the attached.

 

Syntax Error
'where' operator: Failed to resolve table or column expression named 'SecurityEvent' If issue persists, please open a support ticket. Request id: 4a962d40-99f6-4ed4-a66a-f8d9115c0c29
  • CliveWatson's avatar
    CliveWatson
    Former Employee
    Feb 12, 2020

    Hello yashsedani

     

    SecurityEvent is a table that could have that data, I used it as an example - that error suggests you don't have it, so you need to use another.   I wasn't sure if you thought the column of data was in the WaaSDeploymentStatus table or you needed from another table, if so do you know which one?

     

    Thanks Clive

    • yashsedani's avatar
      yashsedani
      Brass Contributor
      Feb 12, 2020

      CliveWatson 

       

      I just need a query where i can get last login/active date and time of all the computers. 

      The Query which is posted in my first message gives me the list if machines those are not up-to-date but few of them are not even in Active Directory (may be Object is deleted or renamed).

       

      If adding a column to my query is not possible, i am comfortable with running another query for last login/active date and then will merge both the reports.

      • CliveWatson's avatar
        CliveWatson
        Former Employee
        Feb 13, 2020

        yashsedani 

         

        You haven't listed any Tables - and there are 100s - so its kind of hard for me to guess on what you have.

        For instance I have 33 tables that contain a Computer column - only a few of those may have logon info.

        union withsource = TableName *
| where isnotempty(Computer)
| summarize count() by TableName

         

        This would list the last record per computer (assumes you have the Heartbeat table)

        Heartbeat
| summarize  arg_max(TimeGenerated,*) by Computer

         

        The reason I didn't suggest Heartbeat is that machines in the WaaS table don't always have the agent, so this doesn't work for me, but may for you?

         

        WaaSDeploymentStatus
| where UpdateCategory == "Quality" and TimeGenerated > ago(60d)
| summarize updateInfo = arg_max(ReleaseName, DeploymentStatus, DetailedStatus, DetailedStatusLevel, ExpectedInstallDate) by Computer
| join  (
Heartbeat
| summarize  LastHeatbeat = arg_max(TimeGenerated, *) by Computer
) on Computer
| project updateInfo , LastHeatbeat

         

        For instance if you say you have SigninLogs then this may work

         

        SigninLogs
| extend displayName_ = tostring(DeviceDetail.displayName) 
| summarize arg_max(TimeGenerated, *) by displayName_

         

         
         

         

         

         

         

Resources