Local Admin Sign-in

Purpose

Review administrator sign-in events on devices.

Query

DeviceLogonEvents 
| where IsLocalAdmin == true 
| where LogonType == "Interactive" 
| where ActionType  == "LogonSuccess"
| summarize count() by AccountName, DeviceName, AccountDomain 
| sort by count_ desc