Active Directory - Computer Object - Operating System Name changes

Query Information

Description

Use the below query to identify Active Directory Computer Object Operating System name changes

References

Microsoft Defender XDR

IdentityDirectoryEvents
| where ActionType == @"Device Operating System changed"
| extend FROMDeviceOperatingSystem = parse_json(AdditionalFields)["FROM Device Operating System"]
| extend TODeviceOperatingSystem = parse_json(AdditionalFields)["TO Device Operating System"]
| project
    TimeGenerated,
    TargetDeviceName,
    FROMDeviceOperatingSystem,
    TODeviceOperatingSystem
| summarize arg_max(TimeGenerated, *) by TargetDeviceName

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Active Directory - Computer Object - Operating System Name changes

Query Information

Description

References

Microsoft Defender XDR

FilesExpand file tree

AD-ComputerObjectOSNameChanged.md

Latest commit

History

AD-ComputerObjectOSNameChanged.md

File metadata and controls

Active Directory - Computer Object - Operating System Name changes

Query Information

Description

References

Microsoft Defender XDR