KQL Search

Query Details

HomeAI ToolsDevice Query

Function Device Lookup

Query

// Save as a function in your workspace then invoke via its name, i.e if you save as DeviceLookup
// DeviceLookup | where IPAddresses has "10.10.10.10" // will find all devices that have had the IPAddress 10.10.10.10
// DeviceLookup | where ['Logged on Admins'] has "user1" // will find all devices user1 has logged onto as an admin
// DeviceLookup | where array_length( ['Logged on Admins']) > 10 // will find devices with more than 10 local admins logged on 
// This will parse the last 14 days of the DeviceInfo, DeviceLogonEvents and DeviceNetworkInfo tables for information
let deviceinfo=
    DeviceInfo
    | where TimeGenerated > ago (14d)
    | where isnotempty(OSBuild)
    | summarize arg_max(TimeGenerated, *) by DeviceId
    | project DeviceName, DeviceId, OSPlatform, OSBuild;
let logons=
    DeviceLogonEvents
    | where TimeGenerated > ago(14d)
    | project
        DeviceName,
        ActionType,
        LogonType,
        AccountName,
        DeviceId,
        InitiatingProcessCommandLine,
        AdditionalFields,
        IsLocalAdmin
    | where ActionType == "LogonSuccess"
    | where LogonType == "Interactive"
    | where AdditionalFields.IsLocalLogon == true
    | where InitiatingProcessCommandLine == "lsass.exe"
    | summarize
        ['Logged on Users']=make_set_if(AccountName, IsLocalAdmin == "false"),
        ['Logged on Admins']=make_set_if(AccountName, IsLocalAdmin == "true")
        by DeviceId;
let ipaddresses=
    DeviceNetworkInfo
    | where TimeGenerated > ago (14d)
    | mv-expand IPAddresses
    | extend IPAddress = tostring(IPAddresses.IPAddress)
    | summarize IPAddresses=make_set(IPAddress) by DeviceId;
deviceinfo
| lookup logons on DeviceId
| lookup ipaddresses on DeviceId

Explanation

This query retrieves information about devices from the DeviceInfo, DeviceLogonEvents, and DeviceNetworkInfo tables for the last 14 days. It filters the DeviceInfo table to include only devices with a non-empty OSBuild field and groups the results by DeviceId. It then filters the DeviceLogonEvents table to include only successful interactive logins by local admins, and groups the results by DeviceId. Finally, it expands the IPAddresses field in the DeviceNetworkInfo table and groups the results by DeviceId. The query then performs lookups on the logons and ipaddresses tables using the DeviceId field from the deviceinfo table.

Details

Matt Zorich profile picture

Matt Zorich

Released: May 20, 2022

Tables

DeviceInfoDeviceLogonEventsDeviceNetworkInfo

Keywords

DeviceLookup,IPAddresses,LoggedonAdmins,User,DeviceInfo,DeviceLogonEvents,DeviceNetworkInfo,DeviceId,DeviceName,OSPlatform,OSBuild,TimeGenerated,isnotempty,summarize,arg_max,project,ActionType,LogonType,AccountName,InitiatingProcessCommandLine,AdditionalFields,IsLocalAdmin,LogonSuccess,Interactive,IsLocalLogon,lsass.exe,make_set_if,make_set,mv-expand,extend,tostring,lookup

Operators

wherehaswherehaswherearray_length>letwhereisnotemptysummarizearg_maxbyprojectletwhereprojectwherewherewherewheresummarizemake_set_ifmake_set_ifbyletwheremv-expandextendsummarizemake_setbylookuponlookupon

Actions