Query Details
Assigned Primary Tokens
Query
Use Case: Monitoring security events to identify potential unauthorized privilege escalations or access attempts within the last 7 days.
Query:
WindowsEvent('Security', 7d)
| where Message contains 'primary token was assigned'Explanation
The query is looking for security events in the Windows Event log that occurred within the last 7 days. It specifically filters for events that contain the message "primary token was assigned". The purpose is to monitor for any potential unauthorized privilege escalations or access attempts.
Details
Ugur Koc
Released: February 4, 2024
Tables
Security
Keywords
Monitoring,Security,Events,Unauthorized,PrivilegeEscalations,AccessAttempts,Last7Days,WindowsEvent,Message,PrimaryTokenwasAssigned
Operators
|wherecontains