Forum Discussion

yashsedani's avatar
yashsedani
Brass Contributor
Feb 12, 2020

Log Analytics Query for computer last login/active date and time

Hi,   I am looking for a query where I can get last login/active date and time for computers in a separate column.   I am already using the below query for windows update   WaaSDeploymentStatu...
azure monitor
Custom Logs and Custom Fields
JamesvandenBerg's avatar
JamesvandenBerg
MVP
Feb 17, 2020

yashsedani 

Did you see this link?

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/joins

 

SecurityEvent
| where EventID == 4624 // sign-in events
| project Computer, Account, TargetLogonId, LogonTime=TimeGenerated
| join kind= inner (
SecurityEvent
| where EventID == 4634 // sign-out events
| project TargetLogonId, LogoffTime=TimeGenerated
) on TargetLogonId
| extend Duration = LogoffTime-LogonTime
| project-away TargetLogonId1
| top 10 by Duration desc

  • CliveWatson's avatar
    CliveWatson
    Former Employee
    Feb 17, 2020

    Hello JamesvandenBerg 

     

    The issue is that he doesn't (yet) have that data source.  yashsedani  to on-board this data source, you will need to enable Azure Security Center - which needs the standard licence (31days eval is also available); so this would billable against you Azure enrollment (just like Log Analytics). 

    You can also get SecurityEvent from Azure Sentinel - with the Security Events data collector, again its billable. 

     

    https://azure.microsoft.com/en-us/pricing/details/security-center/ 

     

    Thanks Clive 

Resources