Detect service account login on new device
Detect Service Acc Login On New Device
Query
// Get all enabled service accounts
let service_acc = (
IdentityInfo
| where Timestamp > ago(7d)
| where Type == "ServiceAccount" and IsAccountEnabled == 1
| distinct AccountName = tolower(AccountName)
);
// Get the history service account logins
let historic_events = (
DeviceLogonEvents
| where Timestamp between (ago(14d) .. ago(1h))
| where ActionType == "LogonSuccess"
| extend AccountName = tolower(AccountName)
| join kind=inner service_acc on AccountName
| summarize HistoricLogins = make_set(DeviceName) by AccountName
);
// Get the account logins done over Network
DeviceLogonEvents
| where Timestamp > ago(1h)
| where LogonType == "Network"
| where ActionType == "LogonSuccess"
| extend AccountName = tolower(AccountName)
// Join inner to only get known service account logins
| join kind=inner service_acc on AccountName
// Join inner to get a list of the historic device logins for the service accounts
| join kind=inner historic_events on AccountName
// Only get sign-ins where Device is not in the history logins
| extend HistoricLogins = tostring(HistoricLogins)
| where HistoricLogins !contains DeviceName
// Make output better
| project-away AccountName1, AccountName2
// Exclude MDI Service Account - CHANGE IF DIFFERENT FOR YOUR ORG
| where AccountName != "gsma_mdi$"
// Environment specific finetuning - begin
// Environment specific finetuning - endAbout this query
Explanation
This query is designed to detect potentially suspicious activity involving service accounts logging into new devices within a network. Here's a simplified breakdown of what the query does:
-
Identify Active Service Accounts: It first gathers a list of all service accounts that have been active in the past week and are currently enabled.
-
Track Historical Logins: The query then looks at the login history of these service accounts over the past 14 days, focusing on successful logins to various devices.
-
Monitor Recent Logins: It checks for any successful network logins by these service accounts in the last hour.
-
Compare with Historical Data: The query compares recent logins against the historical login data. It flags any logins to devices that the service account hasn't accessed in the past 14 days.
-
Exclude Known Exceptions: Certain service accounts, like the MDI service account, are excluded from this check to avoid false positives.
-
Customization for Specific Environments: The query allows for environment-specific adjustments to further refine the detection and reduce false positives.
The purpose of this query is to identify unusual login patterns that might suggest a service account has been compromised and is being used for unauthorized access or lateral movement within the network.
Details

Robbe Van den Daele
Released: March 12, 2025
Tables
Keywords
Operators