Query Details
Security Event Admin SD Holder Modifications
Query
SecurityEvent
| where EventID == 5136 and EventData has "AdminSDHolder"
| project TimeGenerated, Computer, Account, AccountType, SubjectLogonId, Activity, OperationType, EventData
| mv-apply Auxiliar = parse_xml(EventData)["EventData"]["Data"] on (
summarize BagToUnpack = make_bag(bag_pack(tostring(Auxiliar["@Name"]), tostring(Auxiliar["#text"])))
)
| evaluate bag_unpack(BagToUnpack, OutputColumnPrefix = "EventData_", columnsConflict="keep_source")
| project-reorder TimeGenerated, Computer, Account, AccountType, SubjectLogonId, Activity, OperationType, EventData, EventData_*
Explanation
This query is searching through security event data. It's specifically looking for events with an ID of 5136 that also contain the term "AdminSDHolder" in their event data.
Once it finds these events, it projects or selects certain information from them, such as the time they were generated, the computer they occurred on, the account associated with them, the type of account, the subject logon ID, the activity, the operation type, and the event data.
Then, it applies a function to parse the XML structure of the event data. It summarizes this data into a bag, which is a type of data structure that can hold multiple values.
After that, it unpacks the bag to create new columns for each piece of data it contains. If there are any conflicts between the names of these new columns and existing columns, it keeps the original column names.
Finally, it reorders the columns in the output to a specific order: TimeGenerated, Computer, Account, AccountType, SubjectLogonId, Activity, OperationType, EventData, followed by the newly created EventData columns.
Details
Jose Sebastián Canós
Released: January 5, 2023
Tables
Keywords
Operators