Query Details

Security Event Stopped Event Reception Domain Controllers Security Event

Query

let query_frequency = 15m;
let query_wait = 2h;
let _DomainControllers = toscalar(
    _GetWatchlist("Service-PrivateCorporateServices")
    | where Service == "DomainController"
    | summarize make_list(HostName)
);
SecurityEvent
| where TimeGenerated > ago(query_wait + query_frequency)
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer has_any (_DomainControllers)
| where TimeGenerated between (ago(query_frequency + query_wait) .. ago(query_wait))
| project
    Type,
    TimeGenerated,
    TimeCollected,
    Computer,
    Activity,
    SourceComputerId,
    EventOriginId,
    _ResourceId

Explanation

This KQL (Kusto Query Language) query is designed to analyze security events related to domain controllers within a specific time frame. Here's a simplified breakdown of what the query does:

  1. Define Time Intervals:

    • query_frequency is set to 15 minutes.
    • query_wait is set to 2 hours.
  2. Identify Domain Controllers:

    • It retrieves a list of hostnames for domain controllers from a watchlist named "Service-PrivateCorporateServices".
  3. Filter Security Events:

    • The query looks at security events that were generated more than 2 hours and 15 minutes ago.
    • It selects the most recent event for each computer (domain controller) by using arg_max to get the latest event based on TimeGenerated.
  4. Focus on Domain Controllers:

    • It filters these events to include only those related to the domain controllers identified earlier.
  5. Time Frame Specification:

    • It further narrows down the events to those that occurred between 2 hours and 15 minutes ago and 2 hours ago.
  6. Select Specific Fields:

    • Finally, it projects (selects) specific fields from the filtered events: Type, TimeGenerated, TimeCollected, Computer, Activity, SourceComputerId, EventOriginId, and _ResourceId.

In summary, this query is used to find the most recent security events related to domain controllers within a specific 15-minute window, occurring between 2 hours and 15 minutes ago and 2 hours ago.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 18, 2025

Tables

SecurityEvent

Keywords

SecurityEvent

Operators

lettoscalar_GetWatchlistwheresummarizemake_listarg_maxhas_anybetweenagoproject

Actions

GitHub