SOLVED

query where VM is not login

Copper Contributor

Can any one help me query where VM is not login for past 60 days

4 Replies
Do you have 60days of data in your workspace? Typically you'll need SecurityEvent table and eventid 4624 for login...do you have this?

@Srini1987

@CliveWatson is raising good points - you can only check which accounts actually sent login events in the past but did not send them again over the last 60 days. That means you should have a long retention of those logs. For Windows, you should have something like that:

SecurityEvent
| where TimeGenerated > ago(90d)    // or however long your retention is
| where EventID == 4624             // this is the login event ID
| summarize arg_max(TimeGenerated, *) by TargetAccount// gets the latest login per account
| where TimeGenerated < ago(60d)    // filtering logins events by their last login date

 

Similarly, for Linux it should be (not verified)

LinuxAuditLog
| where TimeGenerated > ago(90d)
| where RecordType == 'user_login'  and res == 'success'
| summarize arg_max(acct, *)
| where TimeGenerated < ago(60d)

@CliveWatson

 

Thanks solution ,i got the point.. 

best response confirmed by Srini1987 (Copper Contributor)
Solution

@Noa Kuperberg 

 

Perfect solution which i was expected..

Thanks for your time to help on the case.

1 best response

Accepted Solutions
best response confirmed by Srini1987 (Copper Contributor)
Solution

@Noa Kuperberg 

 

Perfect solution which i was expected..

Thanks for your time to help on the case.

View solution in original post