Query Details
Multiple Multiple Device Names From IP Address
Query
let query_frequency = 1h;
let query_period = 3h;
let repeated_device_threshold = 2;
let new_device_threshold = 3;
union IdentityLogonEvents, IdentityQueryEvents
| where TimeGenerated > ago(query_period)
| where isnotempty(IPAddress) and isnotempty(DeviceName) and not(DeviceName == IPAddress)
| where not(isnotempty(parse_ipv4(IPAddress)) and not(ipv4_is_private(IPAddress)))
| as _Events
| join kind=leftsemi (
_Events
| evaluate activity_counts_metrics(DeviceName, TimeGenerated, ago(query_period), now(), query_frequency, IPAddress)
| where (dcount - new_dcount) >= repeated_device_threshold or new_dcount >= new_device_threshold
| where TimeGenerated > ago(2 * query_frequency)
) on IPAddress
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
EventCount = count(),
take_any(*)
by IPAddress, DeviceName, AccountSid, Application, ActionType, LogonType, Protocol
| project-reorder
StartTime,
EndTime,
EventCount,
IPAddress,
DeviceName,
Application,
AccountUpn,
AccountSid,
ActionType,
Protocol
Explanation
This query looks for logon and query events from IdentityLogonEvents and IdentityQueryEvents within a specified time period. It filters out events with empty IP addresses or device names, and private IP addresses. It then joins the events based on IP address and filters for devices that exceed a certain threshold of repeated logins or new logins. Finally, it summarizes the results by IP address, device name, account information, application, action type, and protocol.
Details
Jose Sebastián Canós
Released: July 3, 2024
Tables
IdentityLogonEventsIdentityQueryEvents
Keywords
Devices,Intune,User
Operators
unionwhereisnotemptynotparse_ipv4ipv4_is_privateasjoinevaluatedcountnew_dcountsummarizetake_anyproject-reorder