query performance improvement

Alex Verboon · Alex Verboon · commit 81dd7363b4a1 · 2020-09-22T21:38:37.000+02:00
diff --git a/Persistence/LocalAdminGroupChanges.txt b/Persistence/LocalAdminGroupChanges.txt
@@ -20,11 +20,11 @@ DeviceEvents
 | extend LocalGroup = AccountName
 | extend LocalGroupSID = AccountSid
 | extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName)
+// limit to local administrators group
+//  | where LocalGroupSID contains "S-1-5-32-544"
 | join kind= leftouter    (NewUsers)
 on $left.AddedAccountSID == $right.NewUserSID
 | project Timestamp, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, lUserAdded , Actor, ActionType , laccountdomain 
-// limit to local administrators group
-// | where LocalGroupSID contains "S-1-5-32-544"
 | join kind= leftouter        (ADAZUsers)
 on $left.AddedAccountSID == $right.OnPremSid
 | extend UserAdded = iff(isnotempty(lUserAdded),strcat(laccountdomain,"\\", lUserAdded), strcat(DirectoryDomain,"\\", DirectoryAccount))
