Query Details
Security Event AD Unusual Operation
Query
SecurityEvent
| where EventData has_any ("CN=Partitions,CN=Configuration,", "msExchAcceptedDomain")
| project
TimeGenerated,
Computer,
Account,
AccountType,
Activity,
OperationType,
EventData,
SubjectLogonId
Explanation
This KQL (Kusto Query Language) query is designed to search through security event logs for specific events related to Active Directory and Exchange configurations. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at the
SecurityEventtable, which contains logs of security-related events. -
Filter Criteria: The query filters the events to find those where the
EventDatafield contains either "CN=Partitions,CN=Configuration," or "msExchAcceptedDomain". These strings are likely related to Active Directory partitions and Exchange accepted domains, respectively. -
Select Columns: After filtering, the query selects (or "projects") specific columns to display in the results:
TimeGenerated: The timestamp of when the event was logged.Computer: The name of the computer where the event occurred.Account: The account associated with the event.AccountType: The type of account involved in the event.Activity: The activity that was logged.OperationType: The type of operation that was performed.EventData: The detailed data of the event.SubjectLogonId: The logon ID of the subject account involved in the event.
In summary, this query is used to identify and display specific security events related to Active Directory and Exchange configurations, showing key details about each event.
Details
Jose Sebastián Canós
Released: December 30, 2024
Tables
Keywords
Operators