Query Details
Identity Query Events SAMR Query Enumerating Users
Query
IdentityQueryEvents
| where Protocol == "Samr"
| where QueryType has "EnumerateUsers"
| extend AdditionalFieldsCount = toint(AdditionalFields["Count"])
| summarize Count = sum(AdditionalFieldsCount), QueryType = make_set_if(split(QueryType, ", "), isnotempty(QueryType)), QueryTarget = make_set_if(QueryTarget, isnotempty(QueryTarget)), TimeGenerated = min(TimeGenerated), maxTimeGenerated = max(TimeGenerated), take_any(ActionType, Protocol, DestinationPort), DestinationIPAddress = make_set(DestinationIPAddress), DestinationDeviceName = make_set(DestinationDeviceName) by IPAddress, DeviceName
| project
TimeGenerated,
maxTimeGenerated,
DeviceName,
IPAddress,
ActionType,
Count,
Protocol,
QueryType,
QueryTarget,
DestinationDeviceName,
DestinationIPAddress,
DestinationPort
Explanation
The query is filtering events from the IdentityQueryEvents table where the Protocol is "Samr" and the QueryType contains the phrase "EnumerateUsers". It then extends the AdditionalFields column by converting the "Count" value to an integer. The query then summarizes the data by grouping it based on the IPAddress and DeviceName columns. It calculates the sum of AdditionalFieldsCount, creates a set of unique QueryType values, creates a set of unique QueryTarget values, finds the minimum and maximum TimeGenerated values, takes any value from the ActionType, Protocol, and DestinationPort columns, and creates sets of unique DestinationIPAddress and DestinationDeviceName values. Finally, it projects the selected columns: TimeGenerated, maxTimeGenerated, DeviceName, IPAddress, ActionType, Count, Protocol, QueryType, QueryTarget, DestinationDeviceName, DestinationIPAddress, and DestinationPort.
Details
Jose Sebastián Canós
Released: November 10, 2022
Tables
Keywords
Operators