Identity Logon Events Unexpected Access To Multiple Devices
Query
// Related to https://github.com/ep3p/Sentinel_KQL/edit/main/Queries/Defender%20for%20Endpoint/Multiple-Unexpected%20named%20pipes%20on%20multiple%20devices.kql
let query_frequency = 1h;
let query_period = 14d;
let device_threshold = 15;
let _ExpectedAccounts = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "DeviceNTLMScan"
| summarize make_list(ActorPrincipalName)
);
let _ExpectedTargetDevices = toscalar(
_GetWatchlist("Service-PrivateCorporateServices")
| where Notes has "[NTLMAccess]"
| summarize make_list(HostName)
);
IdentityLogonEvents
| where TimeGenerated > ago(query_frequency)
| where LogonType == "Resource access"// and not(Protocol == "Kerberos")// and Application == "Active Directory" and ActionType == "LogonSuccess"
| where not(tostring(AdditionalFields["ACTOR.DEVICE"]) == tostring(AdditionalFields["TARGET_OBJECT.DEVICE"]))
| where not(AccountUpn in (_ExpectedAccounts))
| where not(TargetDeviceName has_any (_ExpectedTargetDevices))
| extend SourceEntity = coalesce(AccountUpn, IPAddress, DeviceName)
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
SourceDevices = make_set_if(DeviceName, isnotempty(DeviceName)),
SourceIPAddresses = make_set_if(IPAddress, isnotempty(IPAddress)),
take_any(AccountUpn, AccountName, AccountDomain, AccountSid, AccountObjectId, AccountDisplayName, ActionType)
by SourceEntity, TargetDeviceName, Application, Protocol
| join kind=leftanti (
IdentityLogonEvents
| where TimeGenerated between (ago(query_period) .. ago(query_frequency))
| where LogonType == "Resource access"// and not(Protocol == "Kerberos")// and Application == "Active Directory" and ActionType == "LogonSuccess"
| where not(tostring(AdditionalFields["ACTOR.DEVICE"]) == tostring(AdditionalFields["TARGET_OBJECT.DEVICE"]))
| where not(AccountUpn in (_ExpectedAccounts))
| where not(TargetDeviceName has_any (_ExpectedTargetDevices))
| extend SourceEntity = coalesce(AccountUpn, IPAddress, DeviceName)
| where not(isempty(SourceEntity) or isempty(TargetDeviceName))
) on SourceEntity, TargetDeviceName
| summarize
StartTime = min(StartTime),
EndTime = max(EndTime),
SourceDevices = make_set(SourceDevices),
SourceIPAddresses = make_set(SourceIPAddresses),
TargetDevices = make_set_if(TargetDeviceName, isnotempty(TargetDeviceName), 250),
take_any(AccountUpn, AccountName, AccountDomain, AccountSid, AccountObjectId, AccountDisplayName, ActionType)
by SourceEntity, Application, Protocol
| extend TargetDevicesCount = array_length(TargetDevices)
| where TargetDevicesCount > device_threshold
| extend SourceDevice = iff(array_length(SourceDevices) == 1, tostring(SourceDevices[0]), "")
| sort by TargetDevicesCount desc
| project
StartTime,
EndTime,
Application,
ActionType,
Protocol,
SourceEntity,
SourceDevice,
SourceDevices,
SourceIPAddresses,
TargetDevicesCount,
TargetDevices,
AccountDisplayName,
AccountUpn,
AccountSid,
AccountObjectIdExplanation
This query is designed to identify unusual patterns of resource access across multiple devices within a network, specifically focusing on NTLM (NT LAN Manager) authentication events. Here's a simplified breakdown of what the query does:
-
Setup Parameters:
- The query checks events within the last hour (
query_frequency) and compares them against a 14-day period (query_period). - It looks for cases where more than 15 different target devices are accessed (
device_threshold).
- The query checks events within the last hour (
-
Expected Accounts and Devices:
- It retrieves lists of expected accounts and target devices from predefined watchlists to filter out known, legitimate activities.
-
Filter Recent Events:
- It examines recent logon events (within the last hour) where:
- The logon type is "Resource access".
- The source and target devices are different.
- The account and target device are not in the expected lists.
- It collects information about the source entity (user or device) and the target device.
- It examines recent logon events (within the last hour) where:
-
Compare with Historical Data:
- It compares these recent events against similar events from the past 14 days to find new or unusual access patterns.
-
Summarize and Filter:
- It summarizes the data to find source entities that have accessed more than 15 different target devices.
- It sorts the results by the number of target devices accessed and presents detailed information about these activities.
-
Output:
- The final output includes details such as the time range of the activity, application, action type, protocol, source entity, source device, list of source devices and IP addresses, count of target devices, and account details.
In essence, this query helps identify potentially suspicious activities where an account or device is accessing an unusually high number of different devices, which could indicate unauthorized access or lateral movement within the network.
Details

Jose Sebastián Canós
Released: June 25, 2024
Tables
IdentityLogonEvents
Keywords
DevicesIdentityLogonEventsAccountApplicationProtocolSourceEntityTargetIPAddress
Operators
lettoscalar_GetWatchlistwheresummarizemake_listagotostringhas_anycoalescemake_set_iftake_anybyjoinkindbetweenisemptyonmake_setarray_lengthiffsortdescproject