Jul 01 2020
10:43 AM
- last edited on
Apr 08 2022
10:31 AM
by
TechCommunityAP
Jul 01 2020
10:43 AM
- last edited on
Apr 08 2022
10:31 AM
by
TechCommunityAP
Can any one help me query where VM is not login for past 60 days
Jul 01 2020 03:17 PM
Jul 02 2020 01:27 AM
@CliveWatson is raising good points - you can only check which accounts actually sent login events in the past but did not send them again over the last 60 days. That means you should have a long retention of those logs. For Windows, you should have something like that:
SecurityEvent
| where TimeGenerated > ago(90d) // or however long your retention is
| where EventID == 4624 // this is the login event ID
| summarize arg_max(TimeGenerated, *) by TargetAccount// gets the latest login per account
| where TimeGenerated < ago(60d) // filtering logins events by their last login date
Similarly, for Linux it should be (not verified)
LinuxAuditLog
| where TimeGenerated > ago(90d)
| where RecordType == 'user_login' and res == 'success'
| summarize arg_max(acct, *)
| where TimeGenerated < ago(60d)
Jul 02 2020 02:30 AM
Jul 02 2020 02:32 AM
SolutionJul 02 2020 02:32 AM
Solution
Perfect solution which i was expected..
Thanks for your time to help on the case.