Adversaries may be leveraging recently detected activity to move laterally or escalate privileges within the environment. SOC teams should proactively hunt for these correlated events in Azure Sentinel to identify potential follow-on malicious behavior and prevent further compromise.
KQL Query
// This query looks for events that are near in time to a detected event.
// It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event (e.g. a detected event).
// This is useful when you have queries that you run often - e.g. as part of your regular investigation of an alert.
// Original query: filter for network logon events right before some timestamp
let DeviceId = "474908f457a1dc4c1fab568f808d5f77bf3bb951";
let timestamp = datetime(2018-06-09T02:23:26.6832917Z);
let lookupPeriod = 10m;
DeviceLogonEvents
| where Timestamp between ((timestamp - lookupPeriod) .. lookupPeriod)
and DeviceId == DeviceId
and LogonType == "Network"
id: 683549f4-4f4a-4cc8-becf-ff5b91dc6f07
name: Events surrounding alert (2)
description: |
This query looks for events that are near in time to a detected event.
It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event (e.g. a detected event).
This is useful when you have queries that you run often - e.g. as part of your regular investigation of an alert.
Original query: filter for network logon events right before some timestamp.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceLogonEvents
query: |
// This query looks for events that are near in time to a detected event.
// It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event (e.g. a detected event).
// This is useful when you have queries that you run often - e.g. as part of your regular investigation of an alert.
// Original query: filter for network logon events right before some timestamp
let DeviceId = "474908f457a1dc4c1fab568f808d5f77bf3bb951";
let timestamp = datetime(2018-06-09T02:23:26.6832917Z);
let lookupPeriod = 10m;
DeviceLogonEvents
| where Timestamp between ((timestamp - lookupPeriod) .. lookupPeriod)
and DeviceId == DeviceId
and LogonType == "Network"
| Sentinel Table | Notes |
|---|---|
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually logs into a server to perform routine maintenance and runs a script that generates a series of log entries around the same time as a legitimate system event.
Filter/Exclusion: Exclude events related to known administrative tasks (e.g., event_id = 4624 with logon_type = 10) or filter by user account (e.g., user = "admin") and include a process_name like maintenance_script.exe.
Scenario: A scheduled job runs on a server to back up data, which results in a burst of file system activity and log entries that appear suspiciously timed with a detected alert.
Filter/Exclusion: Exclude events associated with scheduled tasks (e.g., task_name = "BackupJob") or filter by process_name such as backup.exe or vsservice.exe.
Scenario: A security tool (e.g., CrowdStrike or Microsoft Defender) performs a full system scan, which generates a high volume of events within a short time window, mimicking malicious activity.
Filter/Exclusion: Exclude events related to endpoint protection tools (e.g., process_name = "CrowdStrikeAgent.exe" or Microsoft Defender), or use a process_name filter to exclude known security software.
Scenario: An IT team deploys a patch update across multiple systems, which triggers a series of system events (e.g., service restarts, registry changes) that coincide with the alert’s timestamp.
Filter/Exclusion: Exclude events related to patch deployment (e.g., event_id = 6008 with event_data = "Service Control Manager") or filter by process_name such as wusa.exe or msiexec.exe.
Scenario: A user initiates a file transfer or large data sync (e