Query Details
Security Event Unusual Network Share Access
Query
let query_frequency = 1h;
let query_period = 14d;
let files_threshold = 5;
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 5140
| summarize arg_min(TimeGenerated, *) by IpAddress, Account, Computer, ShareLocalPath
| where TimeGenerated > ago(query_frequency)
| summarize hint.strategy=shuffle
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
Accounts = array_sort_asc(make_set(Account, 50)),
Computers = array_sort_asc(make_set(Computer, 50)),
ShareLocalPaths = array_sort_asc(make_set_if(ShareLocalPath, isnotempty(ShareLocalPath), 50)),
ShareLocalPathCount = count_distinct(ShareLocalPath),
take_any(Activity)
by IpAddress
| where ShareLocalPathCount > files_threshold
| project
StartTime,
EndTime,
IpAddress,
Accounts,
Activity,
Computers,
ShareLocalPathCount,
ShareLocalPaths
Explanation
This query looks at Security Events with EventID 5140 in the past 14 days. It groups the events by IP address, account, computer, and shared local path, and then finds the earliest and latest times for each group. It also lists the accounts, computers, and shared local paths involved in each group. It filters out groups with less than 5 shared local paths and shows the start and end times, IP address, accounts, activity, computers, shared local path count, and shared local paths for each group.
Details
Jose Sebastián Canós
Released: July 2, 2024
Tables
SecurityEvent
Keywords
SecurityEvent,TimeGenerated,EventID,IpAddress,Account,Computer,ShareLocalPath,StartTime,EndTime,Accounts,Activity,Computers,ShareLocalPathCount,ShareLocalPaths.
Operators
wheresummarizearg_minwheresummarizewheresummarizehint.strategyminmaxarray_sort_ascmake_setarray_sort_ascmake_setarray_sort_ascmake_set_ifisnotemptycount_distincttake_anybywhereproject