Query Details
Multiple Suspicious Device Name
Query
let suspicious_device_name = dynamic([
"kali"
]);
union isfuzzy=true
IdentityLogonEvents,
IdentityQueryEvents,
IdentityDirectoryEvents,
SecurityEvent
| where DeviceName has_any (suspicious_device_name) or WorkstationName has_any (suspicious_device_name)
Explanation
This query looks for any logon, query, directory, or security events where the device name or workstation name contains the word "kali."
Details
Jose Sebastián Canós
Released: May 24, 2024
Tables
IdentityLogonEventsIdentityQueryEventsIdentityDirectoryEventsSecurityEvent
Keywords
DeviceName,WorkstationName
Operators
dynamicunionisfuzzywherehas_any