Query Details

Find which devices have been accessed by a compromised device and which protocol was used to connect

MDI Devices Accessed By Compromised Device

Query

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where TimeGenerated > (now() - SearchWindow)
| where DeviceName == CompromisedDevice
| summarize
     TotalDevicesAccessed = dcount(DestinationDeviceName),
     DevicesAccessed = make_set(DestinationDeviceName),
     ProtocolsUsed = make_set(Protocol)
     by DeviceName

About this query

Find which devices have been accessed by a compromised device and which protocol was used to connect


Defender XDR

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where Timestamp > (now() - SearchWindow)
| where DeviceName == CompromisedDevice
| summarize
     TotalDevicesAccessed = dcount(DestinationDeviceName),
     DevicesAccessed = make_set(DestinationDeviceName),
     ProtocolsUsed = make_set(Protocol)
     by DeviceName

Sentinel

Explanation

This query is designed to identify which devices have been accessed by a specific compromised device, "laptop.contoso.com," within a specified time frame (48 hours by default). It also determines the protocols used for these connections.

Here's a simple breakdown of what the query does:

  1. Define Variables:

    • CompromisedDevice: The name of the device that is suspected to be compromised ("laptop.contoso.com").
    • SearchWindow: The time period to look back from the current time (48 hours).
  2. Filter Events:

    • The query looks at logon events from the IdentityLogonEvents table.
    • It filters these events to only include those that occurred within the last 48 hours.
    • It further narrows down the events to those where the DeviceName matches the compromised device.
  3. Summarize Results:

    • It counts the total number of unique devices accessed by the compromised device (TotalDevicesAccessed).
    • It creates a list of all unique devices that were accessed (DevicesAccessed).
    • It creates a list of all unique protocols used for these connections (ProtocolsUsed).
  4. Output:

    • The results are grouped by the compromised device name, providing a summary of its activity in terms of accessed devices and used protocols.

This query is useful for security analysts to understand the potential impact of a compromised device by identifying other devices it has interacted with and the methods of interaction.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityLogonEvents

Keywords

DevicesProtocols

Operators

letwheresummarizedcountmake_setbynow>==

Actions

GitHub