KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Account Sensitivity Changed

Query

//Detect when the 'account is sensitive and cannot be delegated' flag on an account is changed

//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent

SecurityEvent
| project TimeGenerated, EventID, TargetAccount, SubjectAccount, UserAccountControl
| where EventID == "4738"
| where UserAccountControl has_any("2094", "2062")
| extend Activity = case
    (UserAccountControl contains "2094", strcat("Account Sensitivity Enabled"),
     UserAccountControl contains "2062", strcat("Account Sensitivity Disabled"),
    "Unknown")
| project TimeGenerated, Target=TargetAccount, Actor=SubjectAccount, Activity

Explanation

This query detects when the 'account is sensitive and cannot be delegated' flag on an account is changed. It uses the Windows Security Events data connector and filters for Event ID 4738. It then checks the UserAccountControl field for values 2094 or 2062, which indicate the flag being enabled or disabled respectively. The query projects the TimeGenerated, TargetAccount, SubjectAccount, and UserAccountControl fields, and extends the query to include an Activity field that indicates whether the flag was enabled or disabled. The final projection includes the TimeGenerated, TargetAccount, SubjectAccount, and Activity fields.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SecurityEvent

Keywords

Devices,Intune,User

Operators

projectwhereextendcontainsstrcat

Actions