ACS Reports to Log Analytics Search Queries Mapping Updated with KQL
The OpsMgr ACS Reports to Log Analytics Search Queries Mapping table has been updated with new query language in Log Analytics (KQL).
For a comparison on how the legacy query for each ACS Report is replaced with a corresponding new query in KQL, please refer to the following table:
| | OpsMgr Audit Collection Services (ACS) | OMS Log Analytics Search Queries |
| |
| Report Name | Legacy (For Reference) | New and Enhanced (KQL) | ||
|
| Access Violation: Account Locked | Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279 | SecurityEvent | where EventID==539 or EventID==644 or EventID==4740 or EventID==6279 |
|
|
| Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279 | measure count() by EventID | SecurityEvent | where EventID==539 or EventID==644 or EventID==4740 or EventID==6279| summarize count() by EventID |
| |
|
| Access Violation: Unsuccessful Logon Attempts | Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | Select TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName | SecurityEvent | where EventID between (529 .. 537) or EventID==539 or (EventID==4625 and Status=="0xc000006d") | project TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName |
|
|
| Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | measure count() by TargetAccount | SecurityEvent | where EventID between (529 .. 537) or EventID==539 or (EventID==4625 and Status=="0xc000006d") | summarize EventCount=count() by TargetAccount | order by EventCount desc |
| |
|
| Account Management: Domain and Built-in Administrators Membership Changes | Type=SecurityEvent EventID=4728 OR EventID=4732 OR EventID=4756 OR EventID=632 OR EventID=636 OR EventID=660 AND (“*512” OR “S-1-5-32-544”) | Extend “Add Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer | SecurityEvent | where EventID==4728 or EventID==4732 or EventID==4756 or EventID==632 or EventID==636 or EventID==660| search "S-1-5-32-544" or "512"| project Action="Add Member", TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer |
|
|
| Type=SecurityEvent EventID=4729 OR EventID=4733 OR EventID=4757 OR EventID=633 OR EventID=637 OR EventID=661 AND (“*512” OR “S-1-5-32-544”) | Extend “Remove Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer | SecurityEvent | where EventID==4729 or EventID==4733 or EventID==4757 or EventID==633 or EventID==637 or EventID==661| search "S-1-5-32-544" or "512"| project Action="Remove Member", TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer |
| |
|
| Account Management: Passwords Change Attempts by Non-owner | Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” TargetAccount NOT IN {Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” | measure count() by SubjectAccount} | EXTEND SubjectAccount AS ChangedBy | Select TimeGenerated, Computer, TargetAccount, ChangedBy | SecurityEvent | where EventID==4723 or EventID==4724 or EventID between (627 .. 628) and SubjectAccount != "ANONYMOUS LOGON" and TargetAccount!=SubjectAccount| project TimeGenerated, Computer, TargetAccount, ChangedBy=SubjectAccount |
|
|
| Account Management: User Accounts Created | Type=SecurityEvent (EventID=624 OR EventID=4720) | EXTEND SubjectAccount AS CreatedBy | Select TimeGenerated, TargetAccount, CreatedBy, Computer | SecurityEvent | where EventID==624 or EventID==4720| project TimeGenerated, TargetAccount, CreatedBy=SubjectAccount, Computer |
|
|
| Account Management: User Accounts Deleted | Type=SecurityEvent (EventID=630 OR EventID=4726) | EXTEND SubjectAccount AS DeletedBy | Select TimeGenerated, TargetAccount, DeletedBy, Computer | SecurityEvent | where EventID==630 or EventID==4726 | project TimeGenerated, TargetAccount, DeletedBy=SubjectAccount, Computer |
|
|
| Forensic: All Events For Specified Computer | Type=SecurityEvent Computer=”<<Computer Name>>” | let computerName = ""; //Enter a Computer NameSecurityEvent | where Computer==computerName |
|
|
| Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity | let computerName = ""; //Enter a Computer NameSecurityEvent | where Computer==computerName| summarize count() by Activity |
| |
|
| Forensic: All Events For Specified User | Type=SecurityEvent Account=”<<User Domain\\Account Name>>” | let accountName = ""; //Enter a User Domain\\Account NameSecurityEvent| where Account == accountName |
|
|
| Type=SecurityEvent Account=”<<User Domain\\Account Name>>” | measure count() by Activity | let accountName = ""; //Enter a User Domain\\Account NameSecurityEvent| where Account == accountName| summarize count() by Activity |
| |
|
| Forensic: All Events With Specified Event ID | Type=SecurityEvent EventID=”<<Event Id>>” | let eventId = 0; //Replace 0 with another event IdSecurityEvent| where EventID == eventId |
|
|
| Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Computer | let eventId = 0; //Replace 0 with another event IdSecurityEvent| where EventID == eventId| summarize count() by Computer |
| |
|
| Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Account | let eventId = 0; //Replace 0 with an eventIdSecurityEvent| where EventID == eventId| summarize count() by Account |
| |
|
| Planning: Event Counts | Type=SecurityEvent EventID!=0 | measure count() AS Count by Activity | SecurityEvent | where EventID!=0 | summarize Count=count() by Activity| order by Count |
|
|
| Planning: Event Counts by Computer | Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity | let computerName = ""; //Enter a Computer NameSecurityEvent | where Computer==computerName| summarize Count=count() by Activity| order by Count |
|
|
| Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by EventID | let computerName = ""; //Enter a Computer NameSecurityEvent | where Computer==computerName| summarize Count=count() by EventID| order by Count |
| |
|
| Planning: Hourly Event Distribution | Type=SecurityEvent EventID!=0 | measure count() AS Count by TimeGenerated Interval 1Hour | SecurityEvent | where EventID!=0| summarize Count=count() by bin(TimeGenerated,1h)| render timechart |
|
|
| Type=SecurityEvent EventID!=0 AND EventID:[xx..yy] | measure count() AS Count by Activity Interval 1Hour | let x=1;let y=10000;SecurityEvent | where EventID between (x .. y) or EventID!=0| summarize Count=count() by Activity, bin(TimeGenerated,1h)| render timechart |
| |
|
| Planning: Logon Counts of Privileged Users | Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Select SubjectAccount, PrivilegeList | SecurityEvent | where EventID==576 or EventID==4672| where SubjectDomainName!="NT AUTHORITY" and AccountType!="Machine"| project SubjectAccount, PrivilegeList |
|
|
| Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Measure Count() by SubjectAccount | SecurityEvent | where EventID==576 or EventID==4672| where SubjectDomainName!="NT AUTHORITY" and AccountType!="Machine"| summarize count() by SubjectAccount | order by count_ |
| |
|
| Policy: Account Policy Changed | Type=SecurityEvent EventID=643 OR EventID=4739 | Select Computer, Activity, TimeGenerated, EventData | SecurityEvent | where EventID==643 or EventID==4739| project Computer, Activity, TimeGenerated, EventData |
|
|
| Policy: Audit Policy Changed | Type=SecurityEvent EventID=612 OR EventID=4719 | Select Computer, Activity, TimeGenerated, EventData | SecurityEvent | where EventID==612 or EventID==4719 | project Computer, Activity, TimeGenerated, EventData |
|
|
| Policy: Object Permissions Changed | Type=SecurityEvent EventID=4670 | Select TimeGenerated, Activity, Computer, EventData | SecurityEvent | where EventID==4670 | project TimeGenerated, Activity, Computer, EventData |
|
|
| Policy: Privilege Added Or Removed | Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | Select TimeGenerated, Activity, Computer, EventData | SecurityEvent | where EventID between (608 .. 609) or EventID between (621 .. 622) or EventID between (4704 .. 4705)| project TimeGenerated, Activity, Computer, EventData |
|
|
| System Integrity: Audit Failure | Type=SecurityEvent EventID=516 OR EventID=4612 | Select TimeGenerated, Activity, Computer | SecurityEvent | where EventID==516 or EventID==4612| project TimeGenerated, Activity, Computer |
|
|
| System Integrity: Audit Log Cleared | Type=SecurityEvent EventID=517 OR EventID=1102 | Select Activity, Computer, TimeGenerated, EventData | SecurityEvent | where EventID==517 or EventID==1102| project Activity, Computer, TimeGenerated, EventData |
|
|
| Usage: Object Access | Type=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | Select Computer, Activity, TimeGenerated, EventData | SecurityEvent | where EventID==560 or EventID==567 or EventID==4656 or EventID==4663 | project Computer, Activity, TimeGenerated, EventData |
|
|
| Usage: Privileged logon | Type=SecurityEvent EventID=576 OR EventID=4672 | Select TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList | SecurityEvent | where EventID==576 or EventID==4672| project TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList |
|
|
| Usage: Sensitive Security Groups Changes | Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | EXTEND TargetUserName As GroupName | Select Activity, GroupName, SubjectAccount, MemberName, TimeGenerated | SecurityEvent | where EventID between (4727 .. 4735) or EventID==4737 or EventID between (4754 .. 4758) or EventID between (631 .. 639) or EventID==641 or EventID between (658 .. 662) | project Activity, GroupName=TargetUserName, SubjectAccount, MemberName, TimeGenerated| order by Activity desc |
|
|
| Usage: User Logon | Type=SecurityEvent EventID=528 OR EventID=540 OR EventID=4624 | Select TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount | SecurityEvent | where EventID==528 or EventID==540 or EventID==4624| project TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount |
|
|
| DAC: File Resource Property Changes | Type=SecurityEvent EventID=4911 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData | SecurityEvent | where EventID==4911 | project Computer, Activity, TimeGenerated, SubjectAccount, EventData |
|
|
| DAC: Central Access Policy For File Changes | Type=SecurityEvent EventID=4913 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData | SecurityEvent | where EventID==4913| project Computer, Activity, TimeGenerated, SubjectAccount, EventData |
|
|
| DAC: Object Attribute Changes | Type=SecurityEvent EventID=5136 OR EventID=5137 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData | SecurityEvent | where EventID==5136 or EventID==5137 | project Computer, Activity, TimeGenerated, SubjectAccount, EventData |
|
Additional Resources:
The Azure Log Analytics Query Language Reference can be used to search for examples and further information on query operators and functions:
https://docs.loganalytics.io/docs/Language-Reference
Log Analytics Demo Portal:
https://portal.loganalytics.io/demo