Query Details
Security Event Malformed Security Descriptor
Query
SecurityEvent
| where EventData has "Malformed Security Descriptor"
| project
TimeGenerated,
Account,
AccountType,
Computer,
SubjectLogonId, // Search the 4624 event for this SubjectLogonId
Activity,
OperationType,
EventData
Explanation
This query looks for SecurityEvents that have a "Malformed Security Descriptor" in their EventData. It then projects specific information like TimeGenerated, Account, Computer, and EventData. It also includes the SubjectLogonId to search for the corresponding 4624 event.
Details
Jose Sebastián Canós
Released: June 10, 2024
Tables
SecurityEvent
Keywords
SecurityEvent,EventData,MalformedSecurityDescriptor,TimeGenerated,Account,AccountType,Computer,SubjectLogonId,Activity,OperationType.
Operators
wherehasproject