Query Details
MDI Devices Accessed By Compromised Device
Query
# Find which devices have been accessed by a compromised device and which protocol was used to connect
----
### Defender For Endpoint
```
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where Timestamp > (now() - SearchWindow)
| where DeviceName == CompromisedDevice
| summarize
TotalDevicesAccessed = dcount(DestinationDeviceName),
DevicesAccessed = make_set(DestinationDeviceName),
ProtocolsUsed = make_set(Protocol)
by DeviceName
```
### Sentinel
```
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where TimeGenerated > (now() - SearchWindow)
| where DeviceName == CompromisedDevice
| summarize
TotalDevicesAccessed = dcount(DestinationDeviceName),
DevicesAccessed = make_set(DestinationDeviceName),
ProtocolsUsed = make_set(Protocol)
by DeviceName
```
Explanation
The query is searching for devices that have been accessed by a compromised device and the protocol used to connect. It uses the "IdentityLogonEvents" table and filters the results based on a specified time window and the name of the compromised device. The query then summarizes the results by the compromised device and provides the total number of devices accessed, the list of devices accessed, and the protocols used. The query is written in both Defender for Endpoint and Sentinel query languages, but the logic and output are the same.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
IdentityLogonEvents
Keywords
Devices,Intune,User
Operators
wheresummarizedcountmake_setby