GUID to AD Computer Object name

%3CLINGO-SUB%20id%3D%22lingo-sub-390794%22%20slang%3D%22en-US%22%3EGUID%20to%20AD%20Computer%20Object%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390794%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%26nbsp%3Ba%20complete%20newbie%20to%20Log%20Analytics%20so%20don%E2%80%99t%20know%20if%20this%20is%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20asked%20to%20query%20Analytics%20to%20see%20who%20and%20when%20Windows%20LAPS%20(Local%20Administrator%20Password%20Solution)%20has%20been%20accessed.%26nbsp%3B%26nbsp%3B%20Each%20time%20the%20Helpdesk%20staff%20use%20LAPs%2C%20event%204662%20is%20generated%20on%20the%20DC%20and%20is%20uploaded.%26nbsp%3B%26nbsp%3B%20I%20have%20written%20the%20below%20basic%20query%20that%20returns%20the%20information%20that%20I%20need.%20But%20the%20ObjectName%20returns%20as%20a%20GUID%20(the%20event%20ID%20shows%20the%20GUID%20also).%26nbsp%3B%20Is%20there%20away%20to%20translate%20that%20GUID%20to%20the%20computer%20object%20name%20from%20AD%20within%20Analytics%3F%3C%2FP%3E%3CP%3EHope%20you%20can%20help!%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*************%20Query%20****************%3C%2FP%3E%3CP%3ESecurityEvent%3C%2FP%3E%3CP%3E%7C%20where%20EventID%20%3D%3D%204662%3C%2FP%3E%3CP%3E%7C%20where%20AccountType%20%3D%3D%20%22User%22%3C%2FP%3E%3CP%3E%7C%20where%20Properties%20%3D%3D%20%22%25%257688%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B771727b1-31b8-4cdf-ae62-4fe39fadf89e%7D%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7Bd659835a-c218-4cd3-a129-876324f81989%7D%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7Bbf967a86-0de6-11d0-a285-00aa003049e2%7D%20%22%3C%2FP%3E%3CP%3E%7C%20project%20TimeGenerated%2C%20Account%2C%20ObjectName%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E************%20Example%20output%20***************%3C%2FP%3E%3CP%3ETimeGenerated%26nbsp%3B%26nbsp%3B%202019-03-29T10%3A01%3A25.307Z%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%23Time%20and%20time%3C%2FP%3E%3CP%3EAccount%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Domain%5CJohn.doe%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%23Name%20of%20helpdesk%20staff%3C%2FP%3E%3CP%3EObjectName%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%25%7B66f5f2dd-3081-4e29-8ete-da98ce2f67d4%7D%26nbsp%3B%20%23Computer%20object%20that%20was%20queried.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-390794%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391629%22%20slang%3D%22en-US%22%3ERe%3A%20GUID%20to%20AD%20Computer%20Object%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391629%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Meir!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBrian.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391442%22%20slang%3D%22en-US%22%3ERe%3A%20GUID%20to%20AD%20Computer%20Object%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391442%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can't%20send%20LDAP%20requests%20from%20within%20Log%20Analytics%20queries.%20What%20you%20can%20do%20is%20to%20write%20a%20script%20that%20would%20rip%20the%20list%20of%20relevant%20objects%20from%20AD%2FAAD%20and%20will%20inject%20them%20into%20Log%20Analytics%20and%20then%20you%20can%20join%20them%20into%20this%20query.%20You%20can%20ingest%20the%20data%20using%20this%20API%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collector-api%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collector-api%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EMeir%20%3A%26gt%3B%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi All

 

I am a complete newbie to Log Analytics so don’t know if this is possible.

 

I have been asked to query Analytics to see who and when Windows LAPS (Local Administrator Password Solution) has been accessed.   Each time the Helpdesk staff use LAPs, event 4662 is generated on the DC and is uploaded.   I have written the below basic query that returns the information that I need. But the ObjectName returns as a GUID (the event ID shows the GUID also).  Is there away to translate that GUID to the computer object name from AD within Analytics?

Hope you can help!

Thanks!

 

************* Query ****************

SecurityEvent

| where EventID == 4662

| where AccountType == "User"

| where Properties == "%%7688                              {771727b1-31b8-4cdf-ae62-4fe39fadf89e}                                              {d659835a-c218-4cd3-a129-876324f81989}         {bf967a86-0de6-11d0-a285-00aa003049e2} "

| project TimeGenerated, Account, ObjectName

 

************ Example output ***************

TimeGenerated   2019-03-29T10:01:25.307Z                             #Time and time

Account:              Domain\John.doe                                            #Name of helpdesk staff

ObjectName        %{66f5f2dd-3081-4e29-8ete-da98ce2f67d4}  #Computer object that was queried.

2 Replies
Hi,

You can't send LDAP requests from within Log Analytics queries. What you can do is to write a script that would rip the list of relevant objects from AD/AAD and will inject them into Log Analytics and then you can join them into this query. You can ingest the data using this API: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collector-api

Thanks,
Meir :>

Thanks Meir!

 

Brian.