Query Details

Security Event AD Unusual Operation

Query

SecurityEvent
| where EventData has_any ("CN=Partitions,CN=Configuration,", "msExchAcceptedDomain", "msDS-DelegatedManagedServiceAccount", "msDS-ManagedAccountPrecededByLink")
| project
    TimeGenerated,
    Computer,
    Account,
    AccountType,
    Activity,
    OperationType,
    EventData,
    SubjectLogonId

Explanation

This query is searching through security events to find specific types of activities related to certain Active Directory objects or attributes. Here's a simple breakdown of what it does:

  1. Data Source: It looks at the SecurityEvent table, which contains logs of security-related events.

  2. Filtering Criteria: It filters the events to find those that involve any of the following:

    • "CN=Partitions,CN=Configuration," which is related to Active Directory partitions.
    • "msExchAcceptedDomain," which is associated with Microsoft Exchange accepted domains.
    • "msDS-DelegatedManagedServiceAccount" and "msDS-ManagedAccountPrecededByLink," which are related to managed service accounts in Active Directory.
  3. Selected Information: For the events that match the criteria, it selects (or "projects") the following details:

    • TimeGenerated: When the event occurred.
    • Computer: The computer where the event was logged.
    • Account: The account involved in the event.
    • AccountType: The type of account involved.
    • Activity: The activity that took place.
    • OperationType: The type of operation that was performed.
    • EventData: Additional data about the event.
    • SubjectLogonId: The logon ID of the subject involved in the event.

In summary, this query is used to identify and extract specific security events related to certain Active Directory configurations and managed accounts, providing detailed information about each event.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: May 23, 2025

Tables

SecurityEvent

Keywords

SecurityEventEventDataTimeGeneratedComputerAccountAccountTypeActivityOperationTypeSubjectLogonId

Operators

has_anywhereproject

Actions

GitHub