Forum Discussion
Advanced Hunting
Find out who are the local administrators of the devices through the hunting function in microsoft defender for endpoint.
You can use this query to find local admin logins on a device, summarizing device name and account name:
DeviceLogonEvents
| where IsLocalAdmin == 1
| project DeviceName, AccountDomain, AccountName, LogonType, ActionType
| summarize count() by DeviceName, AccountName
DeviceLogonEvents
| where IsLocalAdmin == 1
| project DeviceName, AccountDomain, AccountName, LogonType, ActionType
| summarize count() by DeviceName, AccountName