Multiple Multiple Device Names From IP Address
Query
let query_frequency = 1h;
let query_period = 6h;
let repeated_device_threshold = 2;
let new_device_threshold = 3;
let _ExcludedIPAddresses = toscalar(
_GetWatchlist("Service-PrivateCorporateServices")
| where Notes has_any ("[AuthenticationProxyAddress]", "[MultipleDeviceNames]")
| summarize make_list(IPAddress)
);
let _DefenderForIdentity =
union IdentityLogonEvents, IdentityQueryEvents
| where TimeGenerated > ago(query_period)
| where isnotempty(IPAddress) and isnotempty(DeviceName) and not(DeviceName == IPAddress)
| where not(isnotempty(parse_ipv4(IPAddress)) and not(ipv4_is_private(IPAddress)))
;
let _SecurityEvents =
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID in (4624, 4625)
| where not(IpAddress in ("-", "", "::1")) and not(WorkstationName in ("-", "")) and not(toupper(tostring(split(Computer, ".")[0])) == toupper(WorkstationName))
| extend
IPAddress = IpAddress,
DeviceName = WorkstationName,
LogonType = tostring(LogonType)
;
union isfuzzy=true _DefenderForIdentity, _SecurityEvents
| where not(IPAddress in (_ExcludedIPAddresses))
| extend ParsedDeviceName = trim(@"\s+", toupper(tostring(split(DeviceName, ".")[0])))
| as _Events
| join kind=leftsemi (
_Events
| evaluate activity_counts_metrics(ParsedDeviceName, TimeGenerated, ago(query_period), now(), query_frequency, IPAddress)
| where (dcount - new_dcount) >= repeated_device_threshold or new_dcount >= new_device_threshold
| where TimeGenerated > ago(2 * query_frequency)
) on IPAddress
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
EventCount = count(),
take_any(*)
by Type, IPAddress, DeviceName, AccountSid, Application, ActionType, LogonType, Protocol
| project-reorder
StartTime,
EndTime,
ParsedDeviceName,
EventCount,
IPAddress,
DeviceName,
Application,
AccountUpn,
AccountSid,
ActionType,
ProtocolExplanation
This query is designed to monitor and analyze login events from two sources: Defender for Identity and Security Events. Here's a simplified breakdown of what the query does:
-
Set Parameters: It defines several parameters:
query_frequency: How often to check for events (1 hour).query_period: The time window to look back for events (6 hours).repeated_device_threshold: Minimum number of repeated device occurrences to flag (2).new_device_threshold: Minimum number of new device occurrences to flag (3).
-
Exclude Certain IP Addresses: It retrieves a list of IP addresses to exclude from analysis, based on a watchlist of private corporate services.
-
Collect Events from Defender for Identity:
- Gathers login and query events from the past 6 hours.
- Filters out events without an IP address or device name, and those where the device name matches the IP address.
- Excludes public IP addresses.
-
Collect Security Events:
- Retrieves security events with specific Event IDs (4624, 4625) from the past 6 hours.
- Filters out events with missing or default values for IP address and workstation name.
- Ensures the computer name does not match the workstation name.
-
Combine and Filter Events:
- Combines the events from both sources, excluding those with IP addresses in the excluded list.
- Normalizes the device name for consistency.
-
Identify Anomalous Activity:
- Uses activity count metrics to identify devices with unusual activity:
- Devices that appear repeatedly beyond the threshold.
- New devices that appear frequently beyond the threshold.
- Considers only recent events (within the last 2 hours).
- Uses activity count metrics to identify devices with unusual activity:
-
Summarize Results:
- Summarizes the findings by various attributes like IP address, device name, account information, and more.
- Provides a time range for the events and counts the number of events.
-
Reorder and Present Data:
- Reorders the columns for clarity and presents the summarized data.
In essence, this query helps identify potentially suspicious login activities by focusing on devices that show unusual patterns of access within a specified time frame, while excluding known safe IP addresses.
Details

Jose Sebastián Canós
Released: July 10, 2025
Tables
Keywords
Operators