KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Unusual Access To Distinct Network Shares

Query

let query_frequency = 1h;
let query_period = 14d;
let files_threshold = 5;
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 5140
| summarize arg_min(TimeGenerated, *) by IpAddress, Account, Computer, ShareLocalPath
| where TimeGenerated > ago(query_frequency)
| summarize hint.strategy=shuffle
    StartTime = min(TimeGenerated),
    EndTime = max(TimeGenerated),
    Accounts = array_sort_asc(make_set(Account, 50)),
    Computers = array_sort_asc(make_set(Computer, 50)),
    ShareLocalPaths = array_sort_asc(make_set_if(ShareLocalPath, isnotempty(ShareLocalPath), 50)),
    ShareLocalPathCount = count_distinct(ShareLocalPath),
    take_any(Activity)
    by IpAddress
| where ShareLocalPathCount > files_threshold
| project
    StartTime,
    EndTime,
    IpAddress,
    Accounts,
    Activity,
    Computers,
    ShareLocalPathCount,
    ShareLocalPaths

Explanation

This KQL query is designed to analyze security events related to network file sharing activities. Here's a simplified breakdown of what the query does:

  1. Time Frame and Event Filtering: It looks at security events from the last 14 days (query_period) and focuses on events with EventID 5140, which are related to network share access.

  2. Initial Summarization: For each unique combination of IP address, account, computer, and shared local path, it finds the earliest event time (arg_min(TimeGenerated, *)).

  3. Recent Activity Filtering: It further narrows down to events that occurred within the last hour (query_frequency).

  4. Detailed Summarization:

    • It groups the data by IP address and calculates:
      • The start and end times of the events.
      • A sorted list of unique accounts and computers involved (up to 50 each).
      • A sorted list of unique shared local paths accessed, excluding empty paths (up to 50).
      • The count of distinct shared local paths accessed.

  5. Threshold Filtering: It only keeps records where the number of distinct shared local paths accessed is greater than 5 (files_threshold).

  6. Projection: Finally, it selects and displays specific columns: start and end times, IP address, accounts, activity, computers, the count of shared local paths, and the list of shared local paths.

In essence, this query identifies IP addresses that have accessed a significant number of different shared paths in the last hour, providing details about the accounts and computers involved.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 30, 2025

Tables

SecurityEvent

Keywords

SecurityEventIpAddressAccountComputerShareLocalPathTimeGeneratedEventID

Operators

letwhereagosummarizearg_minbyhint.strategyminmaxarray_sort_ascmake_setmake_set_ifisnotemptycount_distincttake_anyproject

Actions