Device Detect Logons Priorto MDE Alert

//When a Defender for Endpoint alert is triggered, search for the most recent interactive logon to the device prior to the alert. //Data connector required for this query - M365 Defender - Device* tables //Data connector required for this query - Security Alert (free table that other Defender products send alert info to) //Also returns if that user is a local admin on the device. let timeframe = 48h; SecurityAlert | where TimeGenerated > ago(timeframe) | where ProviderName == "MDATP" | project AlertTime=TimeGenerated, DeviceName=CompromisedEntity, AlertName | join kind=inner ( DeviceLogonEvents | project TimeGenerated, LogonType, ActionType, InitiatingProcessCommandLine, IsLocalAdmin, AccountName, DeviceName | where LogonType in ("Interactive", "RemoteInteractive") | where ActionType == "LogonSuccess" | where InitiatingProcessCommandLine == "lsass.exe" ) on DeviceName | where (AlertTime - TimeGenerated) between (0min .. timeframe) | summarize arg_max(TimeGenerated, *) by DeviceName | project LogonTime=TimeGenerated, AlertTime, AlertName, DeviceName, AccountName, IsLocalAdmin

Explanation

This query searches for the most recent interactive logon to a device prior to a Defender for Endpoint alert. It also checks if the user is a local admin on the device. It uses the M365 Defender - Device* tables and the Security Alert table. The timeframe for the search is set to the last 48 hours. The query joins the SecurityAlert table with the DeviceLogonEvents table based on the device name. It then filters the results based on the time difference between the alert and the logon event. Finally, it summarizes the results and returns the logon time, alert time, alert name, device name, account name, and whether the user is a local admin.

KQL Search

Device Detect Logons Priorto MDE Alert

Query

Explanation

Details

Actions