KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Logon Events Unusual Delegated Resource Access

Query

let query_frequency = 1h;
let query_period = 14d;
IdentityLogonEvents
| where TimeGenerated > ago(query_frequency)
| where LogonType == "Delegated resource access"
| extend
    KerberosDelegationType = tostring(AdditionalFields["KerberosDelegationType"]),
    ActorObjectSid = AccountSid,
    ActorObjectName = tostring(AdditionalFields["ACTOR.DEVICE"]),
    TargetServicePrincipalNames = tostring(AdditionalFields["Spns"])
| join kind=leftanti (
    IdentityLogonEvents
    | where TimeGenerated between (ago(query_period) .. ago(query_frequency))
    | extend
        KerberosDelegationType = tostring(AdditionalFields["KerberosDelegationType"]),
        ActorObjectSid = AccountSid,
        ActorObjectName = tostring(AdditionalFields["ACTOR.DEVICE"]),
        TargetServicePrincipalNames = tostring(AdditionalFields["Spns"])
    ) on KerberosDelegationType, ActorObjectSid, ActorObjectName, IPAddress, TargetServicePrincipalNames, TargetDeviceName, TargetAccountDisplayName
| summarize arg_min(TimeGenerated, *) by KerberosDelegationType, ActorObjectSid, ActorObjectName, IPAddress, TargetServicePrincipalNames, TargetDeviceName, TargetAccountDisplayName
| project
    TimeGenerated,
    Application,
    ActionType,
    LogonType,
    Protocol,
    KerberosDelegationType,
    ActorObjectSid,
    ActorObjectName,
    IPAddress,
    TargetServicePrincipalNames,
    TargetDeviceName,
    TargetAccountDisplayName,
    AdditionalFields

Explanation

This query looks for Identity Logon Events where the Logon Type is "Delegated resource access". It then extends the data with additional fields and filters out events that occurred within the last hour. The query also joins the data with events that occurred in the past 14 days but not in the last hour. Finally, it summarizes the data and projects specific fields for analysis.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: May 24, 2024

Tables

IdentityLogonEvents

Keywords

IdentityLogonEvents,TimeGenerated,LogonType,KerberosDelegationType,ActorObjectSid,ActorObjectName,TargetServicePrincipalNames,AccountSid,AdditionalFields,Spns,IPAddress,TargetDeviceName,TargetAccountDisplayName,Application,ActionType,Protocol.

Operators

whereextendjoinkindleftantisummarizearg_minproject

Actions