Forum Discussion
OMS query for ad login and log offs
Hi all,
Installed log analytics on a domain controller. Hoping to use it to build a quick dashboard for user logon and log off times.
Can we do this and can anyone point me in the right direction for the query to run?
Hi,
In order to monitor security events you will need to deploy the Security & Audit solution. Keep in mind that since Ignite 2017 that solution is now part of Azure Security Center rather Log Analytics which means separate pricing. Azure Security Center uses Log Analytics platform for storing data. Once you deploy and configure Security & Audit solution there are two simple queries that you can use to see that data:
Logged off accounts:
SecurityEvent | where EventID == 4634 | sort by TimeGenerated desc
Logged on users
SecurityEvent | where EventID == 4624 | sort by TimeGenerated desc
These are single events and there are more additional events related to those. Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
The Security & Audit solution contains some dashboards related to logins and logoff.
You also cannot gather security logs without actually using the Security & Audit solution.
Hope this helps!
12 Replies
Hi,
In order to monitor security events you will need to deploy the Security & Audit solution. Keep in mind that since Ignite 2017 that solution is now part of Azure Security Center rather Log Analytics which means separate pricing. Azure Security Center uses Log Analytics platform for storing data. Once you deploy and configure Security & Audit solution there are two simple queries that you can use to see that data:
Logged off accounts:
SecurityEvent | where EventID == 4634 | sort by TimeGenerated desc
Logged on users
SecurityEvent | where EventID == 4624 | sort by TimeGenerated desc
These are single events and there are more additional events related to those. Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
The Security & Audit solution contains some dashboards related to logins and logoff.
You also cannot gather security logs without actually using the Security & Audit solution.
Hope this helps!
Isn't it a bit outrageous to remove SecurityEvents from the Azure Log Analytics and force the customers to purchase another solution (Security & Audit) in order to centralize logging of security related events, I mean the customer can still do it with Application and System logs.
- I wan to state that I am not and do not work for Microsoft. There was never ability to gather security events without the Security and Audit solution (now ASC) so nothing was removed. That is just the history without me taking any side.
