Advanced Hunting

Copper Contributor

Find out who are the local administrators of the devices through the hunting function in microsoft defender for endpoint.

1 Reply
You can use this query to find local admin logins on a device, summarizing device name and account name:

DeviceLogonEvents
| where IsLocalAdmin == 1
| project DeviceName, AccountDomain, AccountName, LogonType, ActionType
| summarize count() by DeviceName, AccountName