Query Details
Security Alert Suspected Golden Ticket
Query
//When Defender for Identity detects suspected golden ticket usage, parse the relevant user accounts and host names
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where AlertName startswith "Suspected Golden Ticket usage"
| mv-expand todynamic(Entities)
| extend AccountName = tostring(Entities.Name)
| extend HostName = tostring(Entities.HostName)
| summarize
Accounts=make_list_if(AccountName, isnotempty(AccountName)),
Hosts=make_list_if(HostName, isnotempty(HostName))
by VendorOriginalId
Explanation
This query is looking for suspected golden ticket usage in Defender for Identity. It retrieves the relevant user accounts and host names associated with these alerts. The query uses the Security Alert data connector and filters for alerts with names starting with "Suspected Golden Ticket usage". It then expands the Entities column into dynamic values, converts the Name and HostName values to strings, and summarizes the results by VendorOriginalId. The final result includes two lists: one for the user accounts (Accounts) and one for the host names (Hosts).
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
SecurityAlert,AlertName,SuspectedGoldenTicketusage,Entities,AccountName,HostName,Accounts,Hosts,VendorOriginalId
Operators
wherestartswithmv-expandtodynamicextendtostringsummarizemake_list_ifisnotemptyby