Query Details
Security Event Stopped Event Reception Domain Controllers Security Event
Query
let query_frequency = 15m;
let query_wait = 1h;
let _DomainControllers = toscalar(
_GetWatchlist('Service-PrivateCorporateServices')
| where Service == "DomainController"
| summarize make_list(HostName)
);
SecurityEvent
| where TimeGenerated > ago(query_wait + query_frequency)
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer has_any (_DomainControllers)
| where TimeGenerated between (ago(query_frequency + query_wait) .. ago(query_wait))
| project Type, TimeGenerated, TimeCollected, Computer, Activity, SourceComputerId, EventOriginId, _ResourceId
Explanation
The query is looking for security events that occurred within a specific time frame and involve domain controllers. It retrieves a list of domain controllers from a watchlist, filters the security events based on the time range, and then selects specific columns to display in the results.
Details
Jose Sebastián Canós
Released: November 14, 2022
Tables
SecurityEvent
Keywords
Devices,Intune,User
Operators
|wheresummarizearg_maxbyhas_anybetweenproject