Forum Discussion
OMS query for ad login and log offs
Hi,
In order to monitor security events you will need to deploy the Security & Audit solution. Keep in mind that since Ignite 2017 that solution is now part of Azure Security Center rather Log Analytics which means separate pricing. Azure Security Center uses Log Analytics platform for storing data. Once you deploy and configure Security & Audit solution there are two simple queries that you can use to see that data:
Logged off accounts:
SecurityEvent | where EventID == 4634 | sort by TimeGenerated desc
Logged on users
SecurityEvent | where EventID == 4624 | sort by TimeGenerated desc
These are single events and there are more additional events related to those. Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
The Security & Audit solution contains some dashboards related to logins and logoff.
You also cannot gather security logs without actually using the Security & Audit solution.
Hope this helps!
Hi,
There are two things that control what kind of security events are collected.
The first is :
I have mentioned that previously. You have to be on Common at least.
The second setting is in your servers or domain controller policy. You have to make sure that the audit policy on your computers logs logon and logoff events. If those events are present in the Windows Security event log and your setting is in Common level this would ingest logon/logoff events along with the other security events.
Turns out it was a GP issue. The engineer involved thought it was correct, but the policies in question were being overwritten. Thanks for your help anyway.