Forum Discussion

Kewskills's avatar
Kewskills
Copper Contributor
Jun 30, 2023
Solved

KQL Query help

Hi, I'm new to Sentinel and KQL and wish to use the Security Event logs that are being sent to sentinel to get information about AD logons. I have manged to get the logs but I am not able to sort th...
KQL
  • KubaTom's avatar
    KubaTom
    Jun 30, 2023
    This should do the trick, just be aware that the FirstLogonOfTheDay might as well be a failed attempt if you keep 4625. Also, summarizing like this will not give you a full picture of user's activity i.e. a single, all-day session vs several shorter ones will return exactly the same time values. It all depends on what your use case is, but you might need to modify the query a bit further.

    let FirstLogonOfTheDay=SecurityEvent
    | where TimeGenerated between (startofday(ago(2d)) .. endofday(ago(1h)))
    | where AccountType == 'User' and EventID in (4624, 4625)
    | extend Date=format_datetime(TimeGenerated, 'dd-MM-yyyy')
    | summarize arg_min(TimeGenerated, *) by TargetUserName, Date
    | extend FirstLogonOfTheDay=TimeGenerated;
    SecurityEvent
    | where TimeGenerated between (startofday(ago(2d)) .. endofday(ago(1h)))
    | where AccountType == 'User' and EventID in (4634)
    | extend Date=format_datetime(TimeGenerated, 'dd-MM-yyyy')
    | summarize arg_max(TimeGenerated, *) by TargetUserName, Date
    | extend LastLogoffOfTheDay=TimeGenerated
    | join kind=inner FirstLogonOfTheDay on Date, TargetUserName
    //| where TargetUserName =~ 'jsmith'
    | project Date, TargetUserName, FirstLogonOfTheDay, LastLogoffOfTheDay, SourceSystem, Account, AccountType, Computer, EventSourceName, Channel
    | sort by TargetUserName asc, Date desc
KubaTom's avatar
KubaTom
Brass Contributor
Jun 30, 2023
This should do the trick, just be aware that the FirstLogonOfTheDay might as well be a failed attempt if you keep 4625. Also, summarizing like this will not give you a full picture of user's activity i.e. a single, all-day session vs several shorter ones will return exactly the same time values. It all depends on what your use case is, but you might need to modify the query a bit further.

let FirstLogonOfTheDay=SecurityEvent
| where TimeGenerated between (startofday(ago(2d)) .. endofday(ago(1h)))
| where AccountType == 'User' and EventID in (4624, 4625)
| extend Date=format_datetime(TimeGenerated, 'dd-MM-yyyy')
| summarize arg_min(TimeGenerated, *) by TargetUserName, Date
| extend FirstLogonOfTheDay=TimeGenerated;
SecurityEvent
| where TimeGenerated between (startofday(ago(2d)) .. endofday(ago(1h)))
| where AccountType == 'User' and EventID in (4634)
| extend Date=format_datetime(TimeGenerated, 'dd-MM-yyyy')
| summarize arg_max(TimeGenerated, *) by TargetUserName, Date
| extend LastLogoffOfTheDay=TimeGenerated
| join kind=inner FirstLogonOfTheDay on Date, TargetUserName
//| where TargetUserName =~ 'jsmith'
| project Date, TargetUserName, FirstLogonOfTheDay, LastLogoffOfTheDay, SourceSystem, Account, AccountType, Computer, EventSourceName, Channel
| sort by TargetUserName asc, Date desc
  • Kewskills's avatar
    Kewskills
    Copper Contributor
    Jun 30, 2023
    This works a treat, you have made my life so much easer, All I have to do now is go through and understand it. much appreciated.
  • Kewskills's avatar
    Kewskills
    Copper Contributor
    Jun 30, 2023
    Many Thanks I will give it a try

Resources