KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Unusual Network Share Access In A Domain Controller

Query

let query_frequency = 1h;
let query_period = 14d;
let _DomainControllers = toscalar(
    _GetWatchlist("Service-PrivateCorporateServices")
    | where Service == "DomainController"
    | summarize make_list(HostName)
);
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 5140 and Computer has_any (_DomainControllers) and not(ShareName in (@"\\*\SYSVOL", @"\\*\IPC$", @"\\*\NETLOGON"))
| summarize arg_min(TimeGenerated, *) by Computer, Account, IpAddress, ShareLocalPath, ShareName
| where TimeGenerated > ago(query_frequency)
| project
    TimeGenerated,
    Computer,
    AccountType,
    Account,
    IpAddress,
    Activity,
    ShareName,
    ShareLocalPath,
    ObjectType,
    SubjectLogonId,
    AccessList,
    AccessMask,
    EventData

Explanation

This KQL query is designed to monitor and identify specific network share access events on domain controllers within a corporate environment. Here's a simplified breakdown of what the query does:

  1. Define Parameters:

    • query_frequency is set to 1 hour, meaning the query will focus on events that occurred in the last hour.
    • query_period is set to 14 days, indicating the overall time range for data analysis.

  2. Identify Domain Controllers:

    • The query retrieves a list of domain controllers from a watchlist named "Service-PrivateCorporateServices" where the service is labeled as "DomainController".

  3. Filter Security Events:

    • It looks at the SecurityEvent table for events generated within the last 14 days.
    • Specifically, it filters for events with EventID 5140, which indicates a network share object was accessed.
    • It further narrows down the events to those occurring on computers identified as domain controllers.
    • It excludes common administrative shares like SYSVOL, IPC$, and NETLOGON from the results.

  4. Summarize Events:

    • The query summarizes the data to find the earliest occurrence (arg_min) of each event by computer, account, IP address, share local path, and share name.

  5. Filter Recent Events:

    • It then filters these summarized events to only include those that occurred in the last hour.

  6. Select Relevant Data:

    • Finally, it projects (selects) specific fields to display, such as the time the event was generated, computer name, account type, account name, IP address, activity, share name, share local path, object type, subject logon ID, access list, access mask, and event data.

In essence, this query helps in monitoring unauthorized or unusual access to network shares on domain controllers, excluding standard administrative shares, and focuses on recent activities to quickly identify potential security issues.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 30, 2025

Tables

SecurityEvent

Keywords

SecurityEventDomainControllersComputerAccountIpAddressShareNameShareLocalPathEventData

Operators

lettoscalar_GetWatchlistwheresummarizemake_listhas_anynotinarg_minproject

Actions