ACS Reports to Log Analytics Search Queries Mapping Updated with KQL

The OpsMgr ACS Reports to Log Analytics Search Queries Mapping table has been updated with new query language in Log Analytics (KQL).

For a comparison on how the legacy query for each ACS Report is replaced with a corresponding new query in KQL, please refer to the following table:
 

	OpsMgr Audit Collection Services (ACS)	OMS Log Analytics Search Queries
	Report Name	Legacy (For Reference)	New and Enhanced (KQL)
	Access Violation: Account Locked	Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279	SecurityEvent | where EventID==539 or EventID==644 or EventID==4740 or EventID==6279
		Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279 | measure count() by EventID	SecurityEvent | where EventID==539 or EventID==644 or EventID==4740 or EventID==6279| summarize count() by EventID
	Access Violation: Unsuccessful Logon Attempts	Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | Select TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName	SecurityEvent | where EventID between (529 .. 537) or EventID==539 or (EventID==4625 and Status=="0xc000006d") | project TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName
		Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | measure count() by TargetAccount	SecurityEvent | where EventID between (529 .. 537) or EventID==539 or (EventID==4625 and Status=="0xc000006d") | summarize EventCount=count() by TargetAccount | order by EventCount desc
	Account Management: Domain and Built-in Administrators Membership Changes	Type=SecurityEvent EventID=4728 OR EventID=4732 OR EventID=4756 OR EventID=632 OR EventID=636 OR EventID=660 AND (“*512” OR “S-1-5-32-544”) | Extend “Add Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer	SecurityEvent | where EventID==4728 or EventID==4732 or EventID==4756 or EventID==632 or EventID==636 or EventID==660| search "S-1-5-32-544" or "512"| project Action="Add Member", TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer
		Type=SecurityEvent EventID=4729 OR EventID=4733 OR EventID=4757 OR EventID=633 OR EventID=637 OR EventID=661 AND (“*512” OR “S-1-5-32-544”) | Extend “Remove Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer	SecurityEvent | where EventID==4729 or EventID==4733 or EventID==4757 or EventID==633 or EventID==637 or EventID==661| search "S-1-5-32-544" or "512"| project Action="Remove Member", TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer
	Account Management: Passwords Change Attempts by Non-owner	Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” TargetAccount NOT IN {Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” | measure count() by SubjectAccount} | EXTEND SubjectAccount AS ChangedBy | Select TimeGenerated, Computer, TargetAccount, ChangedBy	SecurityEvent | where EventID==4723 or EventID==4724 or EventID between (627 .. 628) and SubjectAccount != "ANONYMOUS LOGON" and TargetAccount!=SubjectAccount| project TimeGenerated, Computer, TargetAccount, ChangedBy=SubjectAccount
	Account Management: User Accounts Created	Type=SecurityEvent (EventID=624 OR EventID=4720) | EXTEND SubjectAccount AS CreatedBy | Select TimeGenerated, TargetAccount, CreatedBy, Computer	SecurityEvent | where EventID==624 or EventID==4720| project TimeGenerated, TargetAccount, CreatedBy=SubjectAccount, Computer
	Account Management: User Accounts Deleted	Type=SecurityEvent (EventID=630 OR EventID=4726) | EXTEND SubjectAccount AS DeletedBy | Select TimeGenerated, TargetAccount, DeletedBy, Computer	SecurityEvent | where EventID==630 or EventID==4726 | project TimeGenerated, TargetAccount, DeletedBy=SubjectAccount, Computer
	Forensic: All Events For Specified Computer	Type=SecurityEvent Computer=”<<Computer Name>>”	let computerName = ""; //Enter a Computer NameSecurityEvent | where Computer==computerName
		Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity	let computerName = ""; //Enter a Computer NameSecurityEvent | where Computer==computerName| summarize count() by Activity
	Forensic: All Events For Specified User	Type=SecurityEvent Account=”<<User Domain\\Account Name>>”	let accountName = ""; //Enter a User Domain\\Account NameSecurityEvent| where Account == accountName
		Type=SecurityEvent Account=”<<User Domain\\Account Name>>” | measure count() by Activity	let accountName = ""; //Enter a User Domain\\Account NameSecurityEvent| where Account == accountName| summarize count() by Activity
	Forensic: All Events With Specified Event ID	Type=SecurityEvent EventID=”<<Event Id>>”	let eventId = 0; //Replace 0 with another event IdSecurityEvent| where EventID == eventId
		Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Computer	let eventId = 0; //Replace 0 with another event IdSecurityEvent| where EventID == eventId| summarize count() by Computer
		Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Account	let eventId = 0; //Replace 0 with an eventIdSecurityEvent| where EventID == eventId| summarize count() by Account
	Planning: Event Counts	Type=SecurityEvent EventID!=0 | measure count() AS Count by Activity	SecurityEvent | where EventID!=0 | summarize Count=count() by Activity| order by Count
	Planning: Event Counts by Computer	Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity	let computerName = ""; //Enter a Computer NameSecurityEvent | where Computer==computerName| summarize Count=count() by Activity| order by Count
		Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by EventID	let computerName = ""; //Enter a Computer NameSecurityEvent | where Computer==computerName| summarize Count=count() by EventID| order by Count
	Planning: Hourly Event Distribution	Type=SecurityEvent EventID!=0 | measure count() AS Count by TimeGenerated Interval 1Hour	SecurityEvent | where EventID!=0| summarize Count=count() by bin(TimeGenerated,1h)| render timechart
		Type=SecurityEvent EventID!=0 AND EventID:[xx..yy] | measure count() AS Count by Activity Interval 1Hour	let x=1;let y=10000;SecurityEvent | where EventID between (x .. y) or EventID!=0| summarize Count=count() by Activity, bin(TimeGenerated,1h)| render timechart
	Planning: Logon Counts of Privileged Users	Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Select SubjectAccount, PrivilegeList	SecurityEvent | where EventID==576 or EventID==4672| where SubjectDomainName!="NT AUTHORITY" and AccountType!="Machine"| project SubjectAccount, PrivilegeList
		Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Measure Count() by SubjectAccount	SecurityEvent | where EventID==576 or EventID==4672| where SubjectDomainName!="NT AUTHORITY" and AccountType!="Machine"| summarize count() by SubjectAccount | order by count_
	Policy: Account Policy Changed	Type=SecurityEvent EventID=643 OR EventID=4739 | Select Computer, Activity, TimeGenerated, EventData	SecurityEvent | where EventID==643 or EventID==4739| project Computer, Activity, TimeGenerated, EventData
	Policy: Audit Policy Changed	Type=SecurityEvent EventID=612 OR EventID=4719 | Select Computer, Activity, TimeGenerated, EventData	SecurityEvent | where EventID==612 or EventID==4719 | project Computer, Activity, TimeGenerated, EventData
	Policy: Object Permissions Changed	Type=SecurityEvent EventID=4670 | Select TimeGenerated, Activity, Computer, EventData	SecurityEvent | where EventID==4670 | project TimeGenerated, Activity, Computer, EventData
	Policy: Privilege Added Or Removed	Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | Select TimeGenerated, Activity, Computer, EventData	SecurityEvent | where EventID between (608 .. 609) or EventID between (621 .. 622) or EventID between (4704 .. 4705)| project TimeGenerated, Activity, Computer, EventData
	System Integrity: Audit Failure	Type=SecurityEvent EventID=516 OR EventID=4612 | Select TimeGenerated, Activity, Computer	SecurityEvent | where EventID==516 or EventID==4612| project TimeGenerated, Activity, Computer
	System Integrity: Audit Log Cleared	Type=SecurityEvent EventID=517 OR EventID=1102 | Select Activity, Computer, TimeGenerated, EventData	SecurityEvent | where EventID==517 or EventID==1102| project Activity, Computer, TimeGenerated, EventData
	Usage: Object Access	Type=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | Select Computer, Activity, TimeGenerated, EventData	SecurityEvent | where EventID==560 or EventID==567 or EventID==4656 or EventID==4663 | project Computer, Activity, TimeGenerated, EventData
	Usage: Privileged logon	Type=SecurityEvent EventID=576 OR EventID=4672 | Select TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList	SecurityEvent | where EventID==576 or EventID==4672| project TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList
	Usage: Sensitive Security Groups Changes	Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | EXTEND TargetUserName As GroupName | Select Activity, GroupName, SubjectAccount, MemberName, TimeGenerated	SecurityEvent | where EventID between (4727 .. 4735) or EventID==4737 or EventID between (4754 .. 4758) or EventID between (631 .. 639) or EventID==641 or EventID between (658 .. 662) | project Activity, GroupName=TargetUserName, SubjectAccount, MemberName, TimeGenerated| order by Activity desc
	Usage: User Logon	Type=SecurityEvent EventID=528 OR EventID=540 OR EventID=4624 | Select TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount	SecurityEvent | where EventID==528 or EventID==540 or EventID==4624| project TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount
	DAC: File Resource Property Changes	Type=SecurityEvent EventID=4911 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData	SecurityEvent | where EventID==4911 | project Computer, Activity, TimeGenerated, SubjectAccount, EventData
	DAC: Central Access Policy For File Changes	Type=SecurityEvent EventID=4913 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData	SecurityEvent | where EventID==4913| project Computer, Activity, TimeGenerated, SubjectAccount, EventData
	DAC: Object Attribute Changes	Type=SecurityEvent EventID=5136 OR EventID=5137 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData	SecurityEvent | where EventID==5136 or EventID==5137 | project Computer, Activity, TimeGenerated, SubjectAccount, EventData

 

Additional Resources:

The Azure Log Analytics Query Language Reference can be used to search for examples and further information on query operators and functions:
https://docs.loganalytics.io/docs/Language-Reference

Log Analytics Demo Portal:
https://portal.loganalytics.io/demo

 

Disclaimer:

All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.