Security Event AD Unusual Operation
Query
SecurityEvent
| where EventData has_any ("CN=Partitions,CN=Configuration,", "msExchAcceptedDomain", "msDS-DelegatedManagedServiceAccount", "msDS-ManagedAccountPrecededByLink")
| project
TimeGenerated,
Computer,
Account,
AccountType,
Activity,
OperationType,
EventData,
SubjectLogonIdExplanation
This query is searching through security events to find specific types of activities related to certain Active Directory objects or attributes. Here's a simple breakdown of what it does:
-
Data Source: It looks at the
SecurityEventtable, which contains logs of security-related events. -
Filtering Criteria: It filters the events to find those that involve any of the following:
- "CN=Partitions,CN=Configuration," which is related to Active Directory partitions.
- "msExchAcceptedDomain," which is associated with Microsoft Exchange accepted domains.
- "msDS-DelegatedManagedServiceAccount" and "msDS-ManagedAccountPrecededByLink," which are related to managed service accounts in Active Directory.
-
Selected Information: For the events that match the criteria, it selects (or "projects") the following details:
TimeGenerated: When the event occurred.Computer: The computer where the event was logged.Account: The account involved in the event.AccountType: The type of account involved.Activity: The activity that took place.OperationType: The type of operation that was performed.EventData: Additional data about the event.SubjectLogonId: The logon ID of the subject involved in the event.
In summary, this query is used to identify and extract specific security events related to certain Active Directory configurations and managed accounts, providing detailed information about each event.
Details

Jose Sebastián Canós
Released: May 23, 2025
Tables
Keywords
Operators