Query Details
Identity Directory Events Account Delegation Changed
Query
//Alert when Defender for Identity detects a change in kerberos constrained delegation configuration on a device
//Data connector required for this query - M365 Defender - Identity* tables
IdentityDirectoryEvents
| where ActionType == "Account Constrained Delegation changed"
| extend AF = parse_json(AdditionalFields)
| extend ['Previous Delegation Setting'] = AF.["FROM AccountConstrainedDelegationState"]
| extend ['Current Delegation Setting'] = AF.["TO AccountConstrainedDelegationState"]
| extend ['Device Operating System'] = AF.TargetComputerOperatingSystem
| project
TimeGenerated,
TargetDeviceName,
['Device Operating System'],
['Previous Delegation Setting'],
['Current Delegation Setting']Explanation
This query looks for changes in the kerberos constrained delegation configuration on a device and alerts when such changes are detected. It uses the M365 Defender - Identity data connector and retrieves data from the IdentityDirectoryEvents table. The query filters for events where the ActionType is "Account Constrained Delegation changed" and then extracts additional information from the AdditionalFields column. It extends the query to include the previous and current delegation settings, the device's operating system, and other relevant information. Finally, it projects the selected fields for the output.
Details
Matt Zorich
Released: June 17, 2022
Tables
IdentityDirectoryEvents
Keywords
IdentityDirectoryEvents,ActionType,AccountConstrainedDelegationchanged,AF,FROMAccountConstrainedDelegationState,TOAccountConstrainedDelegationState,DeviceOperatingSystem,TimeGenerated,TargetDeviceName,PreviousDelegationSetting,CurrentDelegationSetting
Operators
whereextendparse_jsonproject