Query Details

Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect

MDI Lateral Movement By Compromised Accounts

Query

let ComprimsedUsers = dynamic(['user1', 'user2']);
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where TimeGenerated > (now() - SearchWindow)
| where AccountName has_any (ComprimsedUsers)
| where isnotempty(TargetDeviceName)
| where ActionType == "LogonSuccess"
| project TimeGenerated, AccountName, Protocol, TargetDeviceName

About this query

Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect


Defender XDR

let ComprimsedUsers = dynamic(['user1', 'user2']);
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where Timestamp > (now() - SearchWindow)
| where AccountName has_any (ComprimsedUsers)
| where isnotempty(TargetDeviceName)
| where ActionType == "LogonSuccess"
| project Timestamp, AccountName, Protocol, TargetDeviceName

Sentinel

Explanation

This query is designed to identify which devices have been accessed by a specified list of compromised user accounts and to determine the protocol used for these connections. Here's a simple breakdown of what the query does:

  1. Define Compromised Users: It starts by defining a list of compromised user accounts (e.g., 'user1', 'user2').

  2. Set a Time Window: It specifies a time window of 48 hours to search for relevant logon events. This time window can be adjusted as needed.

  3. Filter Logon Events: The query searches through logon events to find instances where:

    • The event occurred within the last 48 hours.
    • The account name matches any of the compromised users.
    • The target device name (the device being accessed) is not empty.
    • The logon action was successful.
  4. Select Relevant Data: It extracts and displays specific information from these events, including the timestamp of the event, the account name, the protocol used for the connection, and the name of the target device.

This query is useful for security monitoring, helping to track unauthorized access by compromised accounts and understand how these accounts are connecting to devices within the network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityLogonEvents

Keywords

DevicesAccountsProtocols

Operators

letdynamicwherehas_anyisnotempty==projectnow-

Actions

GitHub