Security Event Unusual Network Share Access In A Domain Controller
Query
let query_frequency = 1h;
let query_period = 14d;
let _DomainControllers = toscalar(
_GetWatchlist("Service-PrivateCorporateServices")
| where Service == "DomainController"
| summarize make_list(HostName)
);
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 5140 and Computer has_any (_DomainControllers) and not(ShareName in (@"\\*\SYSVOL", @"\\*\IPC$", @"\\*\NETLOGON"))
| summarize arg_min(TimeGenerated, *) by Computer, Account, IpAddress, ShareLocalPath, ShareName
| where TimeGenerated > ago(query_frequency)
| project
TimeGenerated,
Computer,
AccountType,
Account,
IpAddress,
Activity,
ShareName,
ShareLocalPath,
ObjectType,
SubjectLogonId,
AccessList,
AccessMask,
EventDataExplanation
This KQL query is designed to monitor and identify specific network share access events on domain controllers within a corporate environment. Here's a simplified breakdown of what the query does:
-
Define Parameters:
query_frequencyis set to 1 hour, meaning the query will focus on events that occurred in the last hour.query_periodis set to 14 days, indicating the overall time range for data analysis.
-
Identify Domain Controllers:
- The query retrieves a list of domain controllers from a watchlist named "Service-PrivateCorporateServices" where the service is labeled as "DomainController".
-
Filter Security Events:
- It looks at the
SecurityEventtable for events generated within the last 14 days. - Specifically, it filters for events with
EventID5140, which indicates a network share object was accessed. - It further narrows down the events to those occurring on computers identified as domain controllers.
- It excludes common administrative shares like
SYSVOL,IPC$, andNETLOGONfrom the results.
- It looks at the
-
Summarize Events:
- The query summarizes the data to find the earliest occurrence (
arg_min) of each event by computer, account, IP address, share local path, and share name.
- The query summarizes the data to find the earliest occurrence (
-
Filter Recent Events:
- It then filters these summarized events to only include those that occurred in the last hour.
-
Select Relevant Data:
- Finally, it projects (selects) specific fields to display, such as the time the event was generated, computer name, account type, account name, IP address, activity, share name, share local path, object type, subject logon ID, access list, access mask, and event data.
In essence, this query helps in monitoring unauthorized or unusual access to network shares on domain controllers, excluding standard administrative shares, and focuses on recent activities to quickly identify potential security issues.
Details

Jose Sebastián Canós
Released: April 30, 2025
Tables
SecurityEvent
Keywords
SecurityEventDomainControllersComputerAccountIpAddressShareNameShareLocalPathEventData
Operators
lettoscalar_GetWatchlistwheresummarizemake_listhas_anynotinarg_minproject