Identity Directory Events ADFS DKM Property Read

This KQL (Kusto Query Language) query is designed to identify specific security-related events within a dataset called IdentityDirectoryEvents. Here's a breakdown of what the query does:

Filter Events: It filters the events to only include those where the ActionType is "ADFS DKM property read". This indicates a specific type of action related to Active Directory Federation Services (ADFS).
Extract Additional Information: It extracts additional information from the AdditionalFields column, specifically:
- DeviceName: The name of the device involved in the event.
- DeviceSid: The security identifier (SID) of the source computer.
- AdfsObjectId: The object ID related to ADFS.
Reorder Columns: It rearranges the columns in the output to prioritize certain fields, making it easier to read and analyze. The columns are reordered as follows:
- TimeGenerated: When the event occurred.
- Application: The application related to the event.
- AccountName, AccountDomain, AccountUpn, AccountDisplayName: Various identifiers and names for the account involved.
- DeviceName: The name of the device.
- ActionType: The type of action (in this case, "ADFS DKM property read").
- AdfsObjectId: The ADFS object ID.
- AccountSid: The security identifier for the account.
- DeviceSid: The security identifier for the device.
- AdditionalFields: Any other additional fields.
- ReportId: An identifier for the report.

In summary, this query is used to detect and organize specific ADFS-related events that should trigger an alert, providing detailed information about the account and device involved.

KQL Search

Identity Directory Events ADFS DKM Property Read

Query

Explanation

Details

Actions