Forum Discussion

Copper Contributor

Jul 01, 2020

Solved

query where VM is not login

Can any one help me query where VM is not login for past 60 days

Azure Log Analytics

Srini1987
Jul 02, 2020
Noa Kuperberg

Perfect solution which i was expected..
Thanks for your time to help on the case.

4 Replies

Noa Kuperberg
Microsoft
Jul 02, 2020
Srini1987

CliveWatson is raising good points - you can only check which accounts actually sent login events in the past but did not send them again over the last 60 days. That means you should have a long retention of those logs. For Windows, you should have something like that:

SecurityEvent | where TimeGenerated > ago(90d) // or however long your retention is | where EventID == 4624 // this is the login event ID | summarize arg_max(TimeGenerated, *) by TargetAccount// gets the latest login per account | where TimeGenerated < ago(60d) // filtering logins events by their last login date

Similarly, for Linux it should be (not verified)

LinuxAuditLog | where TimeGenerated > ago(90d) | where RecordType == 'user_login' and res == 'success' | summarize arg_max(acct, *) | where TimeGenerated < ago(60d)
- Srini1987
  Copper Contributor
  Jul 02, 2020
  Noa Kuperberg
  
  Perfect solution which i was expected..
  Thanks for your time to help on the case.
CliveWatson
Former Employee
Jul 01, 2020
Do you have 60days of data in your workspace? Typically you'll need SecurityEvent table and eventid 4624 for login...do you have this?
- Srini1987
  Copper Contributor
  Jul 02, 2020
  CliveWatson
  
  Thanks solution ,i got the point..

Resources