Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Need Advanced Hunting query help to show User Last seen

Copper Contributor

Need to help in having a query to show User last Seen for a certain number of users. 

all another way to display "User Last seen" for a subset of users are welcome. thanks

My current query:

DeviceLogonEvents
| where ActionType == "LogonSuccess"
| where Timestamp > ago(30d)
| where DeviceName contains "WVD"
| where AccountName in~ ("account1","account2", ... ,"accountx")
| summarize lastRec = arg_max(Timestamp,*)  by AccountName, ActionType, DeviceName
| extend lastSeen = datetime_diff("Day", now(), lastRec)
| where AccountName !contains "$" and AccountName !contains "umfd" and AccountName !contains "dwm"
| project lastRec, lastSeen, DeviceName, ActionType, AccountName
| extend AccountName = tostring(AccountName)
| join (IdentityInfo
| extend AccountName = tolower(AccountName)
| distinct AccountName, AccountUpn) on AccountName
0 Replies