Nov 23 2017
04:37 AM
- last edited on
Apr 07 2022
04:48 PM
by
TechCommunityAP
Nov 23 2017
04:37 AM
- last edited on
Apr 07 2022
04:48 PM
by
TechCommunityAP
Hi all.
I'm not sure if this is the right place to ask, but here goes.
I have been asked to make a dashboard showing the count of users currently logged in to our local ad.
I have the data in oms, and i have made this query so fare:
SecurityEvent
| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where AccountType == "User"
| summarize count() by TargetAccount
But i'm kind of stuck here.
I can't get it to show a number, i have tried different methods, but not with the result i was hoping for.
Hope for some input or pointers to what i can do.
Best regards
Jan
Nov 23 2017 08:00 AM
SolutionHi Jan,
Is this what you are looking for:
SecurityEvent
| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where AccountType == "User"
| summarize dcount(TargetAccount)
?
It would show you total number of users that logged on to the server but not the number of users that are currently logged on.
To do this, you need to left Join the list of users on the 4624 records with the list of users that have 4634 or 4647 records. Those that doesn't have a match are still logged on.
Hope this helps,
Meir :>
Nov 27 2017 04:14 AM
That help, thank you, i completly missed the dcount parameter.
Now i just have to get the joins to work.
Ragards
Jan Dam
Nov 23 2017 08:00 AM
SolutionHi Jan,
Is this what you are looking for:
SecurityEvent
| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where AccountType == "User"
| summarize dcount(TargetAccount)
?
It would show you total number of users that logged on to the server but not the number of users that are currently logged on.
To do this, you need to left Join the list of users on the 4624 records with the list of users that have 4634 or 4647 records. Those that doesn't have a match are still logged on.
Hope this helps,
Meir :>