Query Details
Identity Directory Events Encryption Change
Query
//Detect when the encryption types on a device are changed and parse the previous and current encryption types. //Data connector required for this query - M365 Defender - Identity* tables or Advanced Hunting license //If you don't send Defender for Id logs to Sentinel you can use the query in M365 Advanced Hunting directly IdentityDirectoryEvents | where ActionType == "Account Supported Encryption Types changed" | parse AdditionalFields with * 'FROM AccountSupportedEncryptionTypes":"' PreviousEncryption '"' * | parse AdditionalFields with * 'TO AccountSupportedEncryptionTypes":"' CurrentEncryption '"' * | project TimeGenerated, TargetDeviceName, PreviousEncryption, CurrentEncryption
Explanation
This query detects when the encryption types on a device are changed and extracts the previous and current encryption types. It requires a data connector for M365 Defender - Identity tables or an Advanced Hunting license. If you don't send Defender for Id logs to Sentinel, you can use the query directly in M365 Advanced Hunting. The query retrieves data from the IdentityDirectoryEvents table, filters for events where the ActionType is "Account Supported Encryption Types changed", and then parses the AdditionalFields to extract the previous and current encryption types. The resulting output includes the timestamp, target device name, previous encryption type, and current encryption type.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators