Query Details
Sec Events Find Lateral Movement Users
Query
//Use your Windows security log to find the users most at risk for lateral movement by finding those that have connected remotely to the most devices
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| where TimeGenerated > ago (30d)
| where EventID == "4624"
| where LogonType == 10
| where SubjectDomainName == TargetDomainName
//Summarize total logins, distinct devices and then list all the devices each account has logged onto
//Account is dropped to lower case to make sure each account is only listed once, i.e Reprise99 and reprise99 are combined
| summarize
['Total logon count']=count(),
['Distinct device logon count']=dcount(Computer),
['List of devices']=make_set(Computer)
by tolower(Account)
| sort by ['Distinct device logon count'] desc Explanation
This query is used to identify users who are at a higher risk for lateral movement, which is when an attacker moves from one device to another within a network. The query looks at the Windows security log and filters for events where users have connected remotely to multiple devices. It summarizes the total number of logins, the number of distinct devices logged into, and lists all the devices each account has logged onto. The results are sorted in descending order based on the number of distinct device logins.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
Devices,Intune,User
Operators
whereago==|summarizecount()dcount()make_set()bytolower()sort by