KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Endpoints With Critical Logged On Users And Shares With Permission Set To Everyone

Query

# Identify endpoints with critical logged on users, and shares with permission set to “Everyone”

## Description

The following query leverages DeviceTvmSecureConfigurationAssessment table which is available at the MDVM add-on license. Results provided include endpoints where users marked as critical log in, and the associated endpoints have shares with permission set to "Everyone".

### Microsoft Defender XDR
```
let CriticalUsers = IdentityInfo 
    | where CriticalityLevel == "1"
    | project AccountName, AccountDisplayName
    | join kind=inner (DeviceInfo
    | extend AccountNameDev = parse_json(LoggedOnUsers)[0]["UserName"]
    | extend AccountNameDevice = tostring(AccountNameDev)
    | where isnotempty(AccountNameDevice)
    | project DeviceId, DeviceName, AccountNameDevice)
    on $left.AccountName == $right.AccountNameDevice
    | summarize by DeviceId, DeviceName, AccountName, AccountDisplayName;
DeviceTvmSecureConfigurationAssessment 
    | where ConfigurationId has "scid-4001"
    | where IsCompliant == "0"
    | where IsApplicable == "1"
    | extend Folder = parse_json(Context)[0][0]
    | extend Path = parse_json(Context)[0][1]
    | project DeviceId, DeviceName, OSPlatform, Folder, Path
    | join kind=inner CriticalUsers on $left.DeviceId == $right.DeviceId
    | project DeviceId, DeviceName, OSPlatform,
        Folder, Path, AccountName, AccountDisplayName
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 12/02/2025     | Initial publish                        |

Explanation

This query is designed to identify security risks on endpoints by finding two specific conditions:

  1. Critical Users Logged In: It first identifies users who are marked as critical (with a criticality level of "1") and checks which devices these users have logged into. This is done by joining user information with device information to match logged-on users to their respective devices.

  2. Shares with "Everyone" Permission: It then looks for devices that have shared folders with permissions set to "Everyone", which can be a security risk. This is determined by checking the DeviceTvmSecureConfigurationAssessment table for non-compliant configurations related to shared folders.

The query combines these two conditions to produce a list of devices where critical users have logged in and where there are shared folders with potentially insecure permissions. The output includes details such as the device ID, device name, operating system platform, folder path, and the critical user's account information.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: February 12, 2025

Tables

IdentityInfoDeviceInfoDeviceTvmSecureConfigurationAssessment

Keywords

DeviceIdentityAccountConfigurationAssessmentUser

Operators

let|where==projectjoinkind=innerextendparse_json[ ]isnotemptyon$left.$right.summarize byhas"",

Actions