Security Event Possible Unusual Remote Session In A Domain Controller
Query
let query_frequency = 1h;
let query_period = 14d;
let _DomainControllers = toscalar(
_GetWatchlist("Service-PrivateCorporateServices")
| where Service == "DomainController"
| summarize make_list(HostName)
);
let _ExpectedRemoteSessionAccounts = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "DomainControllerRemoteSession"
| summarize make_list(ActorPrincipalName)
);
let _ExpectedIPs = toscalar(
_GetWatchlist("Service-PrivateCorporateServices")
| where Notes has "[PAM]"
| summarize make_list(IPAddress)
);
union
(
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 4673 and Computer has_any (_DomainControllers)// and Process has "svchost.exe"
| summarize
Count = count(),
arg_min(TimeGenerated, *)
by Computer, Account, Process
| where TimeGenerated > ago(query_frequency)
),
(
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 4674 and Computer has_any (_DomainControllers)
| where (ObjectType has "Key" and (
ObjectName has_all (@"\REGISTRY\USER\", @"_Classes\Local Settings\MuiCache\")
or ObjectName has_all (@"\REGISTRY\USER\", @"\Software\Microsoft\Windows\CurrentVersion\CloudStore")
or ObjectName has @"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters"))
or ObjectName has_all (@"\BaseNamedObjects\", @"WilStaging")
| summarize
Count = count(),
ObjectNames = array_sort_asc(make_set(ObjectName, 50)),
arg_min(TimeGenerated, *)
by Computer, Account, ObjectType
| where TimeGenerated > ago(query_frequency)
),
(
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 4688 and Computer has_any (_DomainControllers) and not(TargetAccount has_any (@"Window Manager\DWM-", @"Font Driver Host\UMFD-"))// and NewProcessName has "wsmprovhost.exe"
| summarize
Count = count(),
NewProcessNames = array_sort_asc(make_set(NewProcessName, 50)),
arg_min(TimeGenerated, *)
by Computer, Account, TargetAccount
| where TimeGenerated > ago(query_frequency)
)
| join kind=leftouter (
SecurityEvent
| where TimeGenerated > ago(query_period)
| where Computer has_any (_DomainControllers) and EventID == 4624 and not(LogonType in (3))
| project
Logon_TimeGenerated = TimeGenerated,
Computer,
Account,
Logon_IpAddress = IpAddress,
TargetLogonId
) on Computer, Account, $left.SubjectLogonId == $right.TargetLogonId
| project-away *1
| where not(Account in (_ExpectedRemoteSessionAccounts) and Logon_IpAddress in (_ExpectedIPs))
| where not(EventID == 4688 and TargetAccount in (_ExpectedRemoteSessionAccounts))
| sort by Activity asc, Computer asc, Account asc, TargetAccount asc, TimeGenerated asc
| project
TimeGenerated,
Computer,
AccountType,
Account,
TargetAccount,
Activity,
Count,
ObjectType,
ObjectNames,
NewProcessNames,
AccessMask,
ProcessName,
PrivilegeList,
SubjectLogonId,
TargetLogonId,
Logon_TimeGenerated,
Logon_IpAddress,
EventDataExplanation
This query is designed to monitor and analyze security events related to domain controllers over a specified period. Here's a simplified breakdown of what it does:
-
Setup and Definitions:
- It defines a
query_frequencyof 1 hour and aquery_periodof 14 days. - It retrieves lists of domain controllers, expected remote session accounts, and expected IP addresses from specific watchlists.
- It defines a
-
Event Collection:
- It collects security events (Event IDs 4673, 4674, and 4688) from the past 14 days that involve domain controllers.
- For each event type:
- Event ID 4673: Privilege use events are summarized by computer, account, and process.
- Event ID 4674: Object access events are summarized by computer, account, and object type, focusing on specific registry and object names.
- Event ID 4688: New process creation events are summarized by computer, account, and target account, excluding certain system accounts.
-
Logon Event Join:
- It joins these events with logon events (Event ID 4624) to correlate activities with logon sessions, excluding network logons (LogonType 3).
-
Filtering:
- It filters out events involving expected remote session accounts and expected IP addresses.
- It also excludes certain process creation events involving expected remote session accounts.
-
Sorting and Projection:
- The results are sorted by activity, computer, account, target account, and time.
- It projects a set of relevant fields for further analysis, such as time generated, computer, account details, activity count, object names, process names, and logon details.
In essence, this query helps identify unusual or unexpected security events on domain controllers by comparing them against known expected behaviors and configurations.
Details

Jose Sebastián Canós
Released: September 22, 2025
Tables
_GetWatchlistSecurityEvent
Keywords
QueryFrequencyPeriodDomainControllersExpectedRemoteSessionAccountsExpectedIPsSecurityEventTimeGeneratedEventIDComputerAccountProcessObjectTypeObjectNameTargetAccountLogonTypeLogonTimeGeneratedIpAddressTargetLogonIdActivityAccountTypeAccessMaskProcessNamePrivilegeListSubjectLogonIdEventData
Operators
lettoscalar_GetWatchlistwheresummarizemake_listagounionhas_anycountarg_minhas_allarray_sort_ascmake_setnotjoinkindprojectinproject-awaysortbyasc