Query Details
Anomalous Logon Timeline
Query
// Get the top 5 users whose logons have had the most anomalous increase // Service accounts showing up here are especially suspicous let interval = 12h; IdentityLogonEvents | where isnotempty(AccountUpn) | make-series LogonCount = count() on Timestamp from ago(30d) to now() step interval by AccountUpn | extend (flag, score, baseline) = series_decompose_anomalies(LogonCount) | mv-expand with_itemindex = FlagIndex flag to typeof(int) // Expand, but this time include the index in the array as FlagIndex | where flag == 1 // Once again, filter only to spikes | extend SpikeScore = todouble(score[FlagIndex]) // This will get the specific score associated with the detected spike | summarize MaxScore = max(SpikeScore) by AccountUpn | top 5 by MaxScore desc | join kind=rightsemi IdentityLogonEvents on AccountUpn // Rejoin top 5 anomalous upns to all their logons | summarize LogonCount = count() by AccountUpn, bin(Timestamp, interval) | render timechart
Explanation
This query is looking for the top 5 users who have had the most unusual increase in logons. It specifically focuses on service accounts, which are considered suspicious. The query calculates the logon count for each user over a 30-day period and identifies any anomalies. It then selects the top 5 users with the highest anomaly scores and joins them with their logon events. Finally, it summarizes the logon count for each user and visualizes it over time.
Details
C.J. May
Released: November 8, 2021
Tables
IdentityLogonEvents
Keywords
Users,Logons,ServiceAccounts,AnomalousIncrease,IdentityLogonEvents,AccountUpn,Timestamp,LogonCount,flag,score,baseline,FlagIndex,SpikeScore,MaxScore
Operators
whereisnotemptymake-seriescountonfromagotonowstepbyextendseries_decompose_anomaliesmv-expandwith_itemindextotypeofflagwhereextendtodoublesummarizemaxbytopjoinkindrightsemionsummarizecountbybinrender