Forum Discussion
Advanced Hunting
Find out who are the local administrators of the devices through the hunting function in microsoft defender for endpoint.
1 Reply
- You can use this query to find local admin logins on a device, summarizing device name and account name:
DeviceLogonEvents
| where IsLocalAdmin == 1
| project DeviceName, AccountDomain, AccountName, LogonType, ActionType
| summarize count() by DeviceName, AccountName
