Query Details
Local Admins With The Most Devices Accessed
Query
# Hunt for Local Admins with the most RemoteInteractive logins ---- ### Defender For Endpoint ``` DeviceLogonEvents | where IsLocalAdmin == "True" | where LogonType == "RemoteInteractive" | extend IsLocalLogon = tostring(todynamic(AdditionalFields).IsLocalLogon) | summarize DevicesAccessed = make_set(DeviceName) by AccountName, AccountDomain | extend TotalDevices = array_length(DevicesAccessed) | sort by TotalDevices ``` ### Sentinel ``` DeviceLogonEvents | where IsLocalAdmin == "True" | where LogonType == "RemoteInteractive" | extend IsLocalLogon = tostring(todynamic(AdditionalFields).IsLocalLogon) | summarize DevicesAccessed = make_set(DeviceName) by AccountName, AccountDomain | extend TotalDevices = array_length(DevicesAccessed) | sort by TotalDevices ```
Explanation
This query is searching for local administrators who have the most logins using the "RemoteInteractive" logon type. It retrieves the device logon events, filters for local administrators and the specified logon type, and then groups the results by the account name and domain. It calculates the number of devices accessed by each account and sorts the results by the total number of devices accessed.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceLogonEvents
Keywords
DeviceLogonEvents,IsLocalAdmin,LogonType,AdditionalFields,IsLocalLogon,DeviceName,AccountName,AccountDomain,TotalDevices
Operators
whereis=="True""RemoteInteractive"extendtostringtodynamicsummarizemake_setbyAccountNameAccountDomainarray_lengthsortby