ACS Reports to Log Analytics Search Queries Mapping Updated with KQL


The OpsMgr ACS Reports to Log Analytics Search Queries Mapping table has been updated with new query language in Log Analytics (KQL).

For a comparison on how the legacy query for each ACS Report is replaced with a corresponding new query in KQL, please refer to the following table:
 

OpsMgr Audit Collection Services (ACS)

OMS Log Analytics Search Queries

 

 

Report Name

Legacy (For Reference)

New and Enhanced (KQL)

 

 

Access Violation:
Account Locked

Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279

SecurityEvent
| where EventID==539 or EventID==644 or EventID==4740 or EventID==6279

 

 

Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279 | measure count() by EventID

SecurityEvent
| where EventID==539 or EventID==644 or EventID==4740 or EventID==6279
| summarize count() by EventID

 

 

Access Violation:
Unsuccessful Logon Attempts

Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d)  | Select TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName

SecurityEvent
| where EventID between (529 .. 537) or EventID==539 or (EventID==4625 and Status==”0xc000006d”) 
| project TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName

 

 

Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | measure count() by TargetAccount

SecurityEvent
| where EventID between (529 .. 537) or EventID==539 or (EventID==4625 and Status==”0xc000006d”) 
| summarize EventCount=count() by TargetAccount
| order by EventCount desc

 

 


 
Account Management:
Domain and Built-in Administrators Membership Changes

Type=SecurityEvent EventID=4728 OR EventID=4732 OR EventID=4756 OR EventID=632 OR EventID=636 OR EventID=660 AND (“*512” OR “S-1-5-32-544”) | Extend “Add Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer

SecurityEvent
| where EventID==4728 or EventID==4732 or EventID==4756 or EventID==632 or EventID==636 or EventID==660
| search “S-1-5-32-544” or “512”
| project Action=”Add Member”, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer

 

 

Type=SecurityEvent EventID=4729 OR EventID=4733 OR EventID=4757 OR EventID=633 OR EventID=637 OR EventID=661 AND (“*512” OR “S-1-5-32-544”) | Extend “Remove Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer

SecurityEvent
| where EventID==4729 or EventID==4733 or EventID==4757 or EventID==633 or EventID==637 or EventID==661
| search “S-1-5-32-544” or “512”
| project Action=”Remove Member”, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer

 

 

Account Management:
Passwords Change Attempts by Non-owner

Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” TargetAccount NOT IN {Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” | measure count() by SubjectAccount} | EXTEND SubjectAccount AS ChangedBy | Select  TimeGenerated, Computer, TargetAccount, ChangedBy

SecurityEvent
| where EventID==4723 or EventID==4724 or EventID between (627 .. 628) and SubjectAccount != “ANONYMOUS LOGON” and TargetAccount!=SubjectAccount
| project TimeGenerated, Computer, TargetAccount, ChangedBy=SubjectAccount

 

 

Account Management:
User Accounts Created

Type=SecurityEvent (EventID=624 OR EventID=4720) | EXTEND SubjectAccount AS CreatedBy | Select TimeGenerated, TargetAccount, CreatedBy, Computer

SecurityEvent
| where EventID==624 or EventID==4720
| project TimeGenerated, TargetAccount, CreatedBy=SubjectAccount, Computer

 

 

Account Management:
User Accounts Deleted

Type=SecurityEvent (EventID=630 OR EventID=4726) | EXTEND SubjectAccount AS DeletedBy | Select TimeGenerated, TargetAccount, DeletedBy, Computer

SecurityEvent
| where EventID==630 or EventID==4726
| project TimeGenerated, TargetAccount, DeletedBy=SubjectAccount, Computer

 

 

Forensic:
All Events For Specified Computer

Type=SecurityEvent Computer=”<<Computer Name>>”

let computerName = “”;  //Enter a Computer Name
SecurityEvent
| where Computer==computerName

 

 

Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity

let computerName = “”;  //Enter a Computer Name
SecurityEvent
| where Computer==computerName
| summarize count() by Activity

 

 


 Forensic:
All Events For Specified User

Type=SecurityEvent Account=”<<User Domain\\Account Name>>”

let accountName = “”; //Enter a User Domain\\Account Name
SecurityEvent
| where Account == accountName

 

 

Type=SecurityEvent Account=”<<User Domain\\Account Name>>” | measure count() by Activity

let accountName = “”; //Enter a User Domain\\Account Name
SecurityEvent
| where Account == accountName
| summarize count() by Activity

 

 

Forensic:
All Events With Specified Event ID

Type=SecurityEvent EventID=”<<Event Id>>”

let eventId = 0; //Replace 0 with another event Id
SecurityEvent
| where EventID == eventId

 

 

Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Computer

let eventId = 0; //Replace 0 with another event Id
SecurityEvent
| where EventID == eventId
| summarize count() by Computer

 

 

Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Account

let eventId = 0; //Replace 0 with an eventId
SecurityEvent
| where EventID == eventId
| summarize count() by Account

 

 

Planning:
Event Counts

Type=SecurityEvent EventID!=0 | measure count() AS Count by Activity

SecurityEvent
| where EventID!=0
| summarize Count=count() by Activity
| order by Count

 

 

Planning:
Event Counts by Computer

Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity

let computerName = “”; //Enter a Computer Name
SecurityEvent
| where Computer==computerName
| summarize Count=count() by Activity
| order by Count

 

 

Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by EventID

let computerName = “”; //Enter a Computer Name
SecurityEvent
| where Computer==computerName
| summarize Count=count() by EventID
| order by Count

 

 

Planning:
Hourly Event Distribution

Type=SecurityEvent EventID!=0 | measure count() AS Count by TimeGenerated Interval 1Hour

SecurityEvent
| where EventID!=0
| summarize Count=count() by bin(TimeGenerated,1h)
| render timechart

 

 

Type=SecurityEvent EventID!=0 AND EventID:[xx..yy] | measure count() AS Count by Activity Interval 1Hour

let x=1;
let y=10000;
SecurityEvent
| where EventID between (x .. y) or EventID!=0
| summarize Count=count() by Activity, bin(TimeGenerated,1h)
| render timechart

 

 

Planning:
Logon Counts of Privileged Users

Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Select SubjectAccount, PrivilegeList

SecurityEvent
| where EventID==576 or EventID==4672
| where SubjectDomainName!=”NT AUTHORITY” and AccountType!=”Machine”
| project SubjectAccount, PrivilegeList

 

 

Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Measure Count() by SubjectAccount

SecurityEvent
| where EventID==576 or EventID==4672
| where SubjectDomainName!=”NT AUTHORITY” and AccountType!=”Machine”
| summarize count() by SubjectAccount
| order by count_

 

 

Policy:
Account Policy Changed

Type=SecurityEvent EventID=643 OR EventID=4739 | Select Computer, Activity, TimeGenerated, EventData

SecurityEvent
| where EventID==643 or EventID==4739
| project Computer, Activity, TimeGenerated, EventData

 

 

Policy:
Audit Policy Changed

Type=SecurityEvent EventID=612 OR EventID=4719 | Select Computer, Activity, TimeGenerated, EventData

SecurityEvent
| where EventID==612 or EventID==4719
| project Computer, Activity, TimeGenerated, EventData

 

 

Policy:
Object Permissions Changed

Type=SecurityEvent EventID=4670 | Select TimeGenerated, Activity, Computer, EventData

SecurityEvent
| where EventID==4670
| project TimeGenerated, Activity, Computer, EventData

 

 

Policy:
Privilege Added Or Removed

Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | Select TimeGenerated, Activity, Computer, EventData

SecurityEvent
| where EventID between (608 .. 609) or EventID between (621 .. 622) or EventID between (4704 .. 4705)
| project TimeGenerated, Activity, Computer, EventData

 

 

System Integrity:
Audit Failure

Type=SecurityEvent EventID=516 OR EventID=4612 | Select TimeGenerated, Activity, Computer

SecurityEvent
| where EventID==516 or EventID==4612
| project TimeGenerated, Activity, Computer

 

 

System Integrity:
Audit Log Cleared

Type=SecurityEvent EventID=517 OR EventID=1102 | Select Activity, Computer, TimeGenerated, EventData

SecurityEvent
| where EventID==517 or EventID==1102
| project Activity, Computer, TimeGenerated, EventData

 

 


 
Usage:
Object Access

Type=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | Select Computer, Activity, TimeGenerated, EventData

SecurityEvent
| where EventID==560 or EventID==567 or EventID==4656 or EventID==4663
| project Computer, Activity, TimeGenerated, EventData

 

 

Usage:
Privileged logon

Type=SecurityEvent EventID=576 OR EventID=4672 | Select TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList

SecurityEvent
| where EventID==576 or EventID==4672
| project TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList

 

 

Usage:
Sensitive Security Groups Changes

Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | EXTEND TargetUserName As GroupName | Select Activity, GroupName, SubjectAccount, MemberName, TimeGenerated

SecurityEvent
| where EventID between (4727 .. 4735) or EventID==4737 or EventID between (4754 .. 4758) or EventID between (631 .. 639) or EventID==641 or EventID between (658 .. 662)
| project Activity, GroupName=TargetUserName, SubjectAccount, MemberName, TimeGenerated
| order by Activity desc

 

 

Usage:
User Logon

Type=SecurityEvent EventID=528 OR EventID=540 OR EventID=4624 | Select TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount

SecurityEvent
| where EventID==528 or EventID==540 or EventID==4624
| project TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount

 

 

DAC:
File Resource Property Changes

Type=SecurityEvent EventID=4911 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData

SecurityEvent
| where EventID==4911
| project Computer, Activity, TimeGenerated, SubjectAccount, EventData

 

 

DAC:
Central Access Policy For File Changes

Type=SecurityEvent EventID=4913 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData

SecurityEvent
| where EventID==4913
| project Computer, Activity, TimeGenerated, SubjectAccount, EventData

 

 

DAC:
Object Attribute Changes

Type=SecurityEvent EventID=5136 OR EventID=5137 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData

SecurityEvent
| where EventID==5136 or EventID==5137
| project Computer, Activity, TimeGenerated, SubjectAccount, EventData

 



 

Additional Resources:

The Azure Log Analytics Query Language Reference can be used to search for examples and further information on query operators and functions:
https://docs.loganalytics.io/docs/Language-Reference

Log Analytics Demo Portal:
https://portal.loganalytics.io/demo

 


 

Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.