Query Details

Defender for Identity - Honeytoken was queried via SAM-R

MDI Honeytoken Was Queried Via SAM R

Query

// add your honeyoken account SIDs here
let users = pack_array("S-1-5-21-", "S-1-5-21-");
IdentityQueryEvents
| where ActionType =='SAMR query'
| where QueryType == "QueryUser"
| extend TargetSid = tostring(parse_json(AdditionalFields.TargetAccountSid))
| where TargetSid in (users)
| extend TARGET_OBJECT_ENTITY_USER = tostring(AdditionalFields.["TARGET_OBJECT.ENTITY_USER"])
| extend FROM_DEVICE = tostring(AdditionalFields.["FROM.DEVICE"])
| extend TO_DEVICE = tostring(AdditionalFields.["TO.DEVICE"])
| project TimeGenerated, ActionType, TargetAccountDisplayName, TARGET_OBJECT_ENTITY_USER, FROM_DEVICE, TO_DEVICE

About this query

Defender for Identity - Honeytoken was queried via SAM-R

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1087.002Account Discovery - Domain Accounthttps://attack.mitre.org/techniques/T1087/002/

Description

Use the below query to identify Honeytoken accounts that are queried via SAM-R.

References

Microsoft Sentinel

Explanation

This query helps identify Honeytoken accounts that are queried via SAM-R in Microsoft Defender for Identity. It looks for specific account SIDs and provides information about the query events such as time, action type, account display name, and devices involved.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 3, 2024

Tables

IdentityQueryEvents

Keywords

SAM-RHoneytokenIdentityQueryEventsActionTypeQueryTypeTargetAccountSidAdditionalFieldsTargetSidTARGET_OBJECT.ENTITY_USERFROM.DEVICETO.DEVICETimeGeneratedTargetAccountDisplayName

Operators

letwhereextendparse_jsontostringinproject

MITRE Techniques

Actions

GitHub