KQL Search

Query Details

HomeAI ToolsDevice Query

Is Domain Controller

Query

# Function: IsDomainController()

## Query Information

#### Description
This function validates if a device is a Domain Controller. It will return true when it is a domain controller, alternatively false is returned.

#### References
- https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/functions/user-defined-functions
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-custom-functions?view=o365-worldwide

## Defender For Endpoint
```
// This function validates if a device is a Domain Controller. It will return true when it is a domain controller, alternatively false is returned.
let IsDeviceDomainController = (DeviceNameInput: string) {
    let AllDomainControllers =
        DeviceNetworkEvents
        | where Timestamp > ago(7d)
        | where LocalPort == 88
        | where LocalIPType == "FourToSixMapping"
        | distinct DeviceName;
    DeviceNetworkEvents
    | summarize arg_max(Timestamp, *) by DeviceId
    | where DeviceName =~ DeviceNameInput
    | extend DomainController = iff(DeviceNameInput in~ (AllDomainControllers), true, false)
    | extend DeviceName = DeviceNameInput
    | distinct DomainController, DeviceName;
};
// Example
IsDeviceDomainController("yourdevice.tld")
```
## Sentinel
```
// This function validates if a device is a Domain Controller. It will return true when it is a domain controller, alternatively false is returned.
let IsDeviceDomainController = (DeviceNameInput: string) {
    let AllDomainControllers =
        DeviceNetworkEvents
        | where TimeGenerated > ago(7d)
        | where LocalPort == 88
        | where LocalIPType == "FourToSixMapping"
        | distinct DeviceName;
    DeviceNetworkEvents
    | summarize arg_max(TimeGenerated, *) by DeviceId
    | where DeviceName =~ DeviceNameInput
    | extend DomainController = iff(DeviceNameInput in~ (AllDomainControllers), true, false)
    | extend DeviceName = DeviceNameInput
    | distinct DomainController, DeviceName;
};
// Example
IsDeviceDomainController("yourdevice.tld")
```

Explanation

The query is a user-defined function called "IsDeviceDomainController" that checks if a device is a Domain Controller. It returns true if the device is a domain controller and false if it is not. The function takes a device name as input and uses the DeviceNetworkEvents table to determine if the device is a domain controller. It filters the events based on certain criteria such as the local port and local IP type. It then checks if the device name is in the list of all domain controllers and assigns the result to the "DomainController" field. The function returns the "DomainController" and "DeviceName" fields for the specified device.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 29, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

|let=DeviceNetworkEventswhereTimestamp>ago(7d)LocalPort==88LocalIPType"FourToSixMapping"distinctDeviceNamesummarizearg_max(Timestamp*)byDeviceIdDeviceNameInputin~extendifftruefalse

Actions