Query Details
Function Retrieve All D Cs
Query
//Query several tables to retireve all your DCs - such as kerberos, DNS, replication events
let SamrDC=
IdentityQueryEvents
| where TimeGenerated > ago (30d)
| where ActionType == "SAMR query"
| distinct DestinationDeviceName;
let DnsDC=
DnsEvents
| where TimeGenerated > ago (30d)
| where Name startswith "_kerberos."
| distinct Computer
| extend DestinationDeviceName = tolower(Computer);
let SrvDC=
IdentityQueryEvents
| where TimeGenerated > ago (30d)
| where QueryType == "Srv"
| where QueryTarget startswith "_kerberos."
| distinct DestinationDeviceName;
let directoryeventsDC=
IdentityDirectoryEvents
| where TimeGenerated > ago (30d)
| where ActionType in ("Directory Services replication")
// Exclude Azure AD Connect
| where isnotempty( AccountName) and isnotempty( DestinationDeviceName)
| distinct DestinationDeviceName;
union isfuzzy= true SamrDC, DnsDC, SrvDC, directoryeventsDC
| distinct DestinationDeviceNameExplanation
This query retrieves all the domain controllers (DCs) by querying several tables. It looks for events related to SAMR queries, DNS events with names starting with "_kerberos.", Srv queries with targets starting with "_kerberos.", and directory events related to directory services replication. It excludes Azure AD Connect and returns the distinct destination device names from all the tables.
Details
Matt Zorich
Released: December 11, 2021
Tables
IdentityQueryEventsDnsEventsIdentityDirectoryEvents
Keywords
DCs,Kerberos,DNS,Replication,Events,IdentityQueryEvents,ActionType,SAMRquery,DestinationDeviceName,DnsEvents,Name,_kerberos,Computer,Srv,QueryType,QueryTarget,IdentityDirectoryEvents,ActionType,DirectoryServicesreplication,AzureADConnect,AccountName
Operators
whereTimeGeneratedagoActionType"SAMR query"distinctDestinationDeviceNameDnsEventsNamestartswith"_kerberos."ComputerextendtolowerSrvQueryTypeQueryTargetdirectoryeventsDCIdentityDirectoryEventsin("Directory Services replication")isnotemptyAccountNameunionisfuzzytruedistinct