Multiple Suspicious Device Name
Query
let suspicious_device_name = dynamic([
"kali",
"parrot"
]);
union isfuzzy=true
IdentityLogonEvents,
IdentityQueryEvents,
IdentityDirectoryEvents,
SecurityEvent
| where DeviceName has_any (suspicious_device_name) or WorkstationName has_any (suspicious_device_name)
| extend
SourceAccount = coalesce(AccountUpn, Account),
SourceIPAddress = coalesce(IPAddress, IpAddress),
SuspiciousDeviceName = coalesce(DeviceName, WorkstationName)Explanation
This query is designed to identify potentially suspicious activities involving devices with specific names. Here's a simplified explanation:
-
Define Suspicious Device Names: It starts by listing device names considered suspicious, specifically "kali" and "parrot".
-
Combine Data from Multiple Sources: It merges data from four different sources: IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents, and SecurityEvent. The
isfuzzy=trueoption allows for a more flexible combination of these datasets. -
Filter for Suspicious Devices: It filters the combined data to find records where either the
DeviceNameorWorkstationNamecontains any of the suspicious names ("kali" or "parrot"). -
Extract Relevant Information: For each record that matches the criteria, it extracts and standardizes key information:
SourceAccount: The account associated with the event, using eitherAccountUpnorAccount.SourceIPAddress: The IP address associated with the event, using eitherIPAddressorIpAddress.SuspiciousDeviceName: The name of the suspicious device, using eitherDeviceNameorWorkstationName.
In summary, this query helps identify and extract details about events involving devices with names that are typically associated with security testing or penetration testing tools.
Details

Jose Sebastián Canós
Released: June 26, 2024
Tables
Keywords
Operators