Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect
MDI Lateral Movement By Compromised Accounts
Query
let ComprimsedUsers = dynamic(['user1', 'user2']);
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where TimeGenerated > (now() - SearchWindow)
| where AccountName has_any (ComprimsedUsers)
| where isnotempty(TargetDeviceName)
| where ActionType == "LogonSuccess"
| project TimeGenerated, AccountName, Protocol, TargetDeviceNameAbout this query
Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect
Defender XDR
let ComprimsedUsers = dynamic(['user1', 'user2']);
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where Timestamp > (now() - SearchWindow)
| where AccountName has_any (ComprimsedUsers)
| where isnotempty(TargetDeviceName)
| where ActionType == "LogonSuccess"
| project Timestamp, AccountName, Protocol, TargetDeviceName
Sentinel
Explanation
This query is designed to identify which devices have been accessed by a specified list of compromised user accounts and to determine the protocol used for these connections. Here's a simple breakdown of what the query does:
-
Define Compromised Users: It starts by defining a list of compromised user accounts (e.g., 'user1', 'user2').
-
Set a Time Window: It specifies a time window of 48 hours to search for relevant logon events. This time window can be adjusted as needed.
-
Filter Logon Events: The query searches through logon events to find instances where:
- The event occurred within the last 48 hours.
- The account name matches any of the compromised users.
- The target device name (the device being accessed) is not empty.
- The logon action was successful.
-
Select Relevant Data: It extracts and displays specific information from these events, including the timestamp of the event, the account name, the protocol used for the connection, and the name of the target device.
This query is useful for security monitoring, helping to track unauthorized access by compromised accounts and understand how these accounts are connecting to devices within the network.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators