Queries for the SecurityEvent table
Security Events most common event IDs
This query displays a descending list of the amount of events ingested per EventId for Security-Auditing.
SecurityEvent
| where EventSourceName == "Microsoft-Windows-Security-Auditing"
| summarize EventCount = count() by EventID
| sort by EventCount desc
Members added to security groups
Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution
Uses of clear text password
List all accounts that logged on using a clear-text password over the last day.
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4624 // event ID 4624: "an account was successfully logged on",
| where LogonType == 8 // logon type 8: "NetworkCleartext"
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution
Windows failed logins
Find reports of Windows accounts that failed to login.
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution
All Security Activities
Security activities sorted by time (newest first).
SecurityEvent
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc
Security Activities on the Device
Security activities on a specific device sorted by time (newest first).
SecurityEvent
//| where Computer == "COMPUTER01.contoso.com" // Replace with a specific computer name
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc
Security Activities for Admin
Security activities on a specific device for administrator sorted by time (newest first).
SecurityEvent
//| where Computer == "COMPUTER01.contoso.com" // Replace with a specific computer name
| where TargetUserName == "Administrator"
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc
Logon Activity by Device
Counts logon activities per device.
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer
Devices With More Than 10 Logons
Counts logon activities per devices with more than 10 logons.
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer
| where LogonCount > 10
Accounts Terminated Antimalware
Accounts which terminated Microsoft Antimalware.
SecurityEvent
| where EventID == 4689
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Account
Devices with Antimalware Terminated
Devices which terminated Microsoft Antimalware.
SecurityEvent
| where EventID == 4689
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Computer
Devices Where Hash Was Executed
Devices where hash.exe was executed more than 5 times.
SecurityEvent
| where EventID == 4688
| where Process has "hash.exe" or ParentProcessName has "hash.exe"
| summarize ExecutionCount = count() by Computer
| where ExecutionCount > 5
Process Names Executed
Lists number of executions per process.
SecurityEvent
| where EventID == 4688
| summarize ExecutionCount = count() by NewProcessName
Devices With Security Log Cleared
Devices with securtiy log cleared.
SecurityEvent
| where EventID == 1102
| summarize LogClearedCount = count() by Computer
Logon Activity by Account
Logon activity by account.
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account
Accounts With Less Than 5 Times Logons
Logon activity for accounts with less than 5 logons.
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account
| where LogonCount < 5
Remoted Logged Accounts on Devices
Remoted logged accounts on a specific device.
SecurityEvent
| where EventID == 4624 and (LogonTypeName == "3 - Network" or LogonTypeName == "10 - RemoteInteractive")
//| where Computer == "Computer01.contoso.com" // Replace with a specific computer name
| summarize RemoteLogonCount = count() by Account
Computers With Guest Account Logons
Computers with logons from guest accounts.
SecurityEvent
| where EventID == 4624 and TargetUserName == 'Guest' and LogonType in (10, 3)
| summarize count() by Computer
Members Added to Security Enabled Groups
Members added to the security enabled groups.
SecurityEvent
| where EventID in (4728, 4732, 4756)
| summarize count() by SubjectAccount
Domain Security Policy Changes
Counts events of domain policy changed.
SecurityEvent
| where EventID == 4739
| summarize count() by DomainPolicyChanged
System Audit Policy Changes
System audit policy changed events by computer.
SecurityEvent
| where EventID == 4719
| summarize count() by Computer
Suspicious Executables
Lists suspicious executables.
SecurityEvent
| where EventID == 8002 and Fqbn == '-'
| summarize ExecutionCountHash=count() by FileHash
| where ExecutionCountHash <= 5
Logons With Clear Text Password
Logons with clear text password by target account.
SecurityEvent
| where EventID == 4624 and LogonType == 8
| summarize count() by TargetAccount
Computers With Cleaned Event Logs
Computers with cleaned event logs.
SecurityEvent
| where EventID in (1102, 517) and EventSourceName == 'Microsoft-Windows-Eventlog'
| summarize count() by Computer
Accounts Failed to Logon
Counts failed logons by target account.
SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount
Locked Accounts
Counts locked acounts by target account.
SecurityEvent
| where EventID == 4740
| summarize count() by TargetAccount
Change or Reset Passwords Attempts
Counts change/reset paswords attempts per target account.
SecurityEvent
| where EventID in (4723, 4724)
| summarize count() by TargetAccount
Groups Created or Modified
Groups created or modified per target account.
SecurityEvent
| where EventID in (4727, 4731, 4735, 4737, 4754, 4755)
| summarize count() by TargetAccount
Remote Procedure Call Attempts
Counts remote procedure call attempts per computer.
SecurityEvent
| where EventID == 5712
| summarize count() by Computer
User Accounts Changed
Counts user account changes per target account.
SecurityEvent
| where EventID in (4720, 4722)
| summarize by TargetAccount
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for