Nov 20 2017
06:07 PM
- last edited on
Apr 07 2022
04:48 PM
by
TechCommunityAP
Nov 20 2017
06:07 PM
- last edited on
Apr 07 2022
04:48 PM
by
TechCommunityAP
Hi everyone,
I'm trying to assist a customer with a query in Log Analytics to see whenever computers were turned on, by computer and by day.
I think I am on the right track in the Security Event table, going off of the Saved Search that Log Analytics offered for Logon Activity by Computer.
search in (SecurityEvent) EventID == 4624
| summarize LogonCount = count() by Computer
| limit 500000
I found a list of the event numbers (here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/) and I believe 4608 "Windows is starting up" should work, but I can't seem to find where the options are to replace "LogonCount" with something that would indicate Windows starting instead. I'd also like to know how to sort that by computer and by day.
Appreciate any help you can offer, thanks!
Nov 20 2017 10:35 PM
SolutionNov 20 2017 10:45 PM
Thank you so much, Stanislav!
Is it also possible to query for the total amount of time each computer is used each day (ideally excluding idle time)? Is that somewhere in the Perf table?
Nov 20 2017 10:48 PM
Nov 20 2017 11:05 PM
Here's all of the information I have on the request for two queries.
1) Usage count of computers
Number of times a user turns the power on (from sleep or shutdown) and performs an interactive login
2) Usage time of computers
The time (period) that a computer is unlocked and interactively logged on (excluding idle time if possible)
We can skip the idle time if that's difficult. Thanks so much! BTW, is there a list of these performance counters somewhere? Is this the right area?
https://msdn.microsoft.com/en-us/library/windows/desktop/aa373083(v=vs.85).aspx
Nov 20 2017 11:13 PM
Nov 20 2017 11:15 PM
Ok, got it. Thank you so much for your time! I have run across your blog posts researching other cases as well, very much appreciate your contributions!
Nov 20 2017 10:35 PM
Solution