Query Details
Identity Logon Events Summarize NTLM
Query
//Summarize NTLM authentications by which source computers & accounts are connecting to the most destination devices //Data connector required for this query - M365 Defender - Identity* tables //Microsoft Sentinel query IdentityLogonEvents | where TimeGenerated > ago(7d) | where ActionType == "LogonSuccess" | where Protocol =~ "Ntlm" | where LogonType == "Credentials validation" | summarize ['Target Device List']=make_set(DestinationDeviceName), ['Target Device Count']=dcount(DestinationDeviceName) by DeviceName, AccountName | sort by ['Target Device Count'] desc //Advanced Hunting query IdentityLogonEvents //Data connector required for this query - Advanced Hunting license | where Timestamp > ago(7d) | where ActionType == "LogonSuccess" | where Protocol =~ "Ntlm" | where LogonType == "Credentials validation" | summarize ['Target Device List']=make_set(DestinationDeviceName), ['Target Device Count']=dcount(DestinationDeviceName) by DeviceName, AccountName | sort by ['Target Device Count'] desc
Explanation
This query analyzes NTLM authentications to determine which source computers and accounts are connecting to the most destination devices. It uses the IdentityLogonEvents table from the M365 Defender - Identity* data connector or the Advanced Hunting license data connector. The query filters for logon events that occurred within the last 7 days, have a successful logon action, use the NTLM protocol, and involve credentials validation. It then summarizes the results by the DeviceName and AccountName, creating a list of target devices and counting the number of unique devices. The results are sorted in descending order based on the target device count.
Details
Matt Zorich
Released: April 13, 2023
Tables
IdentityLogonEvents
Keywords
Devices,Intune,User
Operators
where>ago===~summarizemake_setdcountbysort