Query Details
Security Alert Defenderfor ID Recon
Query
//When Defender for Identity alerts on user and group reconnaissance, parse the relevant accounts, hosts and groups affected
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where AlertName == "User and group membership reconnaissance (SAMR)"
| extend x = todynamic(Entities)
| mv-expand x
| parse x with * 'HostName":"' HostName '","Id' *
| parse x with * 'FriendlyName":"' GroupName '","Type":"security-group"' *
| parse x with * '"Name":"' AccountName '","Sid"' *
| summarize
Accounts=make_list_if(AccountName, isnotempty(AccountName)),
Hosts=make_list_if(HostName, isnotempty(HostName)),
Groups=make_list_if(GroupName, isnotempty(GroupName))
by VendorOriginalIdExplanation
This query is looking for alerts from Defender for Identity related to user and group reconnaissance. It retrieves the relevant accounts, hosts, and groups affected by the reconnaissance. The query uses the SecurityAlert data connector and filters for alerts with the name "User and group membership reconnaissance (SAMR)". It then parses the entities field to extract the hostname, group name, and account name. Finally, it summarizes the results by the original vendor ID, creating lists of the affected accounts, hosts, and groups.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
SecurityAlert,AlertName,Entities,HostName,GroupName,AccountName,Sid,Accounts,Hosts,Groups,VendorOriginalId
Operators
whereextendmv-expandparsewithsummarizemake_list_ifisnotemptyby