Security Event Unexpected Network Share Access In A Domain Controller
Query
let query_frequency = 1h;
let query_period = 14d;
let _DomainControllers = toscalar(
_GetWatchlist("Service-PrivateCorporateServices")
| where Service == "DomainController"
| summarize make_list(HostName)
);
let _ExpectedRemoteSessionAccounts = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "DomainControllerRemoteSession" and Notes has "[NetworkShareAccess]"
| summarize make_list(ActorPrincipalName)
);
let _ExpectedIPs = toscalar(
_GetWatchlist("Service-PrivateCorporateServices")
| where Notes has "[PAM]"
| summarize make_list(IPAddress)
);
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 5140 and Computer has_any (_DomainControllers) and not(ShareName in (@"\\*\SYSVOL", @"\\*\IPC$", @"\\*\NETLOGON"))
| summarize arg_min(TimeGenerated, *) by Computer, Account, IpAddress, ShareLocalPath, ShareName
| where TimeGenerated > ago(query_frequency)
| where not(AccountType == "Machine" and IpAddress in ("127.0.0.1", "::1") and split(Account, @"\")[-1] == strcat(split(Computer, ".")[0], "$"))
| where not(Account in (_ExpectedRemoteSessionAccounts) and IpAddress in (_ExpectedIPs))
| project
TimeGenerated,
Computer,
AccountType,
Account,
IpAddress,
Activity,
ShareName,
ShareLocalPath,
ObjectType,
SubjectLogonId,
AccessList,
AccessMask,
EventDataExplanation
This KQL query is designed to monitor and identify unusual network share access activities on domain controllers within a corporate environment. Here's a simplified breakdown of what the query does:
-
Setup Timeframes:
query_frequencyis set to 1 hour, meaning the query looks for events that happened in the last hour.query_periodis set to 14 days, meaning the query considers events from the last 14 days.
-
Identify Domain Controllers:
- It retrieves a list of hostnames for domain controllers from a watchlist named "Service-PrivateCorporateServices."
-
Identify Expected Remote Session Accounts:
- It retrieves a list of accounts expected to perform significant activities, specifically remote sessions on domain controllers, from a watchlist named "Activity-ExpectedSignificantActivity."
-
Identify Expected IP Addresses:
- It retrieves a list of expected IP addresses associated with privileged access management (PAM) from the same watchlist used for domain controllers.
-
Filter Security Events:
- The query filters
SecurityEventlogs to find events with ID 5140 (indicating network share access) that occurred on the identified domain controllers. - It excludes common administrative shares like SYSVOL, IPC$, and NETLOGON from consideration.
- The query filters
-
Identify Unusual Access:
- It further filters these events to find the earliest occurrence for each combination of computer, account, IP address, and share path.
- It excludes events where:
- The account type is "Machine" and the IP address is a loopback address (127.0.0.1 or ::1) with a matching machine account name.
- The account and IP address are both in the lists of expected remote session accounts and expected IPs.
-
Output:
- The query projects relevant details of the filtered events, such as the time generated, computer name, account type, account name, IP address, activity, share name, share local path, object type, subject logon ID, access list, access mask, and event data.
In summary, this query is used to detect potentially unauthorized or unexpected network share access activities on domain controllers by filtering out expected and benign activities.
Details

Jose Sebastián Canós
Released: October 7, 2025
Tables
_GetWatchlistSecurityEvent
Keywords
DomainControllersRemoteSessionAccountsIPsSecurityEventComputerAccountIpAddressShareLocalPathShareNameAccountTypeActivityObjectTypeSubjectLogonIdAccessListAccessMaskEventData
Operators
lettoscalar_GetWatchlistwheresummarizemake_listhasagohas_anynotinarg_minbysplitstrcatproject