Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect

Defender For Endpoint

let ComprimsedUsers = dynamic(['user1', 'user2']);
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where Timestamp > (now() - SearchWindow)
| where AccountName has_any (ComprimsedUsers)
| where isnotempty(TargetDeviceName)
| where ActionType == "LogonSuccess"
| project Timestamp, AccountName, Protocol, TargetDeviceName

Sentinel

let ComprimsedUsers = dynamic(['user1', 'user2']);
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityLogonEvents
| where TimeGenerated > (now() - SearchWindow)
| where AccountName has_any (ComprimsedUsers)
| where isnotempty(TargetDeviceName)
| where ActionType == "LogonSuccess"
| project TimeGenerated, AccountName, Protocol, TargetDeviceName

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MDI - Lateral-Movement-By-Compromised-Accounts.md

MDI - Lateral-Movement-By-Compromised-Accounts.md

Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect

Defender For Endpoint

Sentinel

Files

MDI - Lateral-Movement-By-Compromised-Accounts.md

Latest commit

History

MDI - Lateral-Movement-By-Compromised-Accounts.md

File metadata and controls

Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect

Defender For Endpoint

Sentinel