Identity Logon Events Summarize NTLM
Query
//Summarize NTLM authentications by which source computers & accounts are connecting to the most destination devices
//Data connector required for this query - M365 Defender - Identity* tables
//Microsoft Sentinel query
IdentityLogonEvents
| where TimeGenerated > ago(7d)
| where ActionType == "LogonSuccess"
| where Protocol =~ "Ntlm"
| where LogonType == "Credentials validation"
| summarize ['Target Device List']=make_set(DestinationDeviceName), ['Target Device Count']=dcount(DestinationDeviceName) by DeviceName, AccountName
| sort by ['Target Device Count'] desc
//Advanced Hunting query
IdentityLogonEvents
//Data connector required for this query - Advanced Hunting license
| where Timestamp > ago(7d)
| where ActionType == "LogonSuccess"
| where Protocol =~ "Ntlm"
| where LogonType == "Credentials validation"
| summarize ['Target Device List']=make_set(DestinationDeviceName), ['Target Device Count']=dcount(DestinationDeviceName) by DeviceName, AccountName
| sort by ['Target Device Count'] descExplanation
This query analyzes NTLM authentications to determine which source computers and accounts are connecting to the most destination devices. It uses the IdentityLogonEvents table from the M365 Defender - Identity* data connector or the Advanced Hunting license data connector. The query filters for logon events that occurred within the last 7 days, have a successful logon action, use the NTLM protocol, and involve credentials validation. It then summarizes the results by the DeviceName and AccountName, creating a list of target devices and counting the number of unique devices. The results are sorted in descending order based on the target device count.
Details

Matt Zorich
Released: April 13, 2023
Tables
IdentityLogonEvents
Keywords
DevicesIntuneUser
Operators
where>ago===~summarizemake_setdcountbysort