Find which devices have been accessed by a compromised device and which protocol was used to connect
MDI Devices Accessed By Compromised Device
Query
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where TimeGenerated > (now() - SearchWindow)
| where DeviceName == CompromisedDevice
| summarize
TotalDevicesAccessed = dcount(DestinationDeviceName),
DevicesAccessed = make_set(DestinationDeviceName),
ProtocolsUsed = make_set(Protocol)
by DeviceNameAbout this query
Find which devices have been accessed by a compromised device and which protocol was used to connect
Defender XDR
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where Timestamp > (now() - SearchWindow)
| where DeviceName == CompromisedDevice
| summarize
TotalDevicesAccessed = dcount(DestinationDeviceName),
DevicesAccessed = make_set(DestinationDeviceName),
ProtocolsUsed = make_set(Protocol)
by DeviceName
Sentinel
Explanation
This query is designed to identify which devices have been accessed by a specific compromised device, "laptop.contoso.com," within a specified time frame (48 hours by default). It also determines the protocols used for these connections.
Here's a simple breakdown of what the query does:
-
Define Variables:
CompromisedDevice: The name of the device that is suspected to be compromised ("laptop.contoso.com").SearchWindow: The time period to look back from the current time (48 hours).
-
Filter Events:
- The query looks at logon events from the
IdentityLogonEventstable. - It filters these events to only include those that occurred within the last 48 hours.
- It further narrows down the events to those where the
DeviceNamematches the compromised device.
- The query looks at logon events from the
-
Summarize Results:
- It counts the total number of unique devices accessed by the compromised device (
TotalDevicesAccessed). - It creates a list of all unique devices that were accessed (
DevicesAccessed). - It creates a list of all unique protocols used for these connections (
ProtocolsUsed).
- It counts the total number of unique devices accessed by the compromised device (
-
Output:
- The results are grouped by the compromised device name, providing a summary of its activity in terms of accessed devices and used protocols.
This query is useful for security analysts to understand the potential impact of a compromised device by identifying other devices it has interacted with and the methods of interaction.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
IdentityLogonEvents
Keywords
DevicesProtocols
Operators
letwheresummarizedcountmake_setbynow>==