Mar 29 2019
06:52 AM
- last edited on
Apr 07 2022
05:43 PM
by
TechCommunityAP
Mar 29 2019
06:52 AM
- last edited on
Apr 07 2022
05:43 PM
by
TechCommunityAP
Hi All
I am a complete newbie to Log Analytics so don’t know if this is possible.
I have been asked to query Analytics to see who and when Windows LAPS (Local Administrator Password Solution) has been accessed. Each time the Helpdesk staff use LAPs, event 4662 is generated on the DC and is uploaded. I have written the below basic query that returns the information that I need. But the ObjectName returns as a GUID (the event ID shows the GUID also). Is there away to translate that GUID to the computer object name from AD within Analytics?
Hope you can help!
Thanks!
************* Query ****************
SecurityEvent
| where EventID == 4662
| where AccountType == "User"
| where Properties == "%%7688 {771727b1-31b8-4cdf-ae62-4fe39fadf89e} {d659835a-c218-4cd3-a129-876324f81989} {bf967a86-0de6-11d0-a285-00aa003049e2} "
| project TimeGenerated, Account, ObjectName
************ Example output ***************
TimeGenerated 2019-03-29T10:01:25.307Z #Time and time
Account: Domain\John.doe #Name of helpdesk staff
ObjectName %{66f5f2dd-3081-4e29-8ete-da98ce2f67d4} #Computer object that was queried.
Mar 31 2019 08:02 AM