Query Details
Security Event Unconstrained Delegationto User
Query
//Detects when unconstrained kerberos delegation is enabled on a user object //Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent SecurityEvent | where EventID == "4738" | parse EventData with * 'NewUacValue">' NewUacValue '</Data>' * | parse EventData with * 'TargetUserName">' UserName '</Data>' * | parse EventData with * 'SubjectUserName">' Actor '</Data>' * | where NewUacValue == "0x2010" | project TimeGenerated, Activity, UserName, Actor
Explanation
This query detects when unconstrained Kerberos delegation is enabled on a user object. It looks for Security Events with EventID 4738 and parses the EventData to extract the NewUacValue, TargetUserName, and SubjectUserName. It then filters for events where the NewUacValue is "0x2010" and projects the TimeGenerated, Activity, UserName, and Actor fields.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
SecurityEvent,EventID,EventData,NewUacValue,TargetUserName,UserName,SubjectUserName,Actor,TimeGenerated,Activity
Operators
where==parsewith*'</Data>'|project