query where VM is not login

Copper Contributor

Can any one help me query where VM is not login for past 60 days

4 Replies
Do you have 60days of data in your workspace? Typically you'll need SecurityEvent table and eventid 4624 for you have this?


@CliveWatson is raising good points - you can only check which accounts actually sent login events in the past but did not send them again over the last 60 days. That means you should have a long retention of those logs. For Windows, you should have something like that:

| where TimeGenerated > ago(90d)    // or however long your retention is
| where EventID == 4624             // this is the login event ID
| summarize arg_max(TimeGenerated, *) by TargetAccount// gets the latest login per account
| where TimeGenerated < ago(60d)    // filtering logins events by their last login date


Similarly, for Linux it should be (not verified)

| where TimeGenerated > ago(90d)
| where RecordType == 'user_login'  and res == 'success'
| summarize arg_max(acct, *)
| where TimeGenerated < ago(60d)



Thanks solution ,i got the point.. 

best response confirmed by Srini1987 (Copper Contributor)

@Noa Kuperberg 


Perfect solution which i was expected..

Thanks for your time to help on the case.