← Back to SOC feed Coverage →

Events surrounding alert (3)

kql MEDIUM Azure-Sentinel
AlertEvidenceDeviceLogonEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-22T11:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may be leveraging recently detected activity to move laterally or escalate privileges within the network. SOC teams should proactively hunt for these correlated events in Azure Sentinel to identify potential follow-on malicious actions and disrupt attack chains early.

KQL Query

// Modified query: instead of copy-pasting the timestamp, get the timestamp of some event you can filter
// In this example, take the time of the first detected event in an alert.
// We filter on alertId - which you can get from all our APIs (SIEM, Graph API, PowerBI, DeviceAlertEvents table) or from the UI (the last part of the link to the alert page)
let alertId = "636641078490537577_-1905871543";
let alert = AlertInfo | join AlertEvidence on AlertId | where AlertId == alertId | summarize AlertFirstTimestamp=min(Timestamp) by DeviceId;
let DeviceId = toscalar(alert | project DeviceId);
let timestamp = toscalar(alert | project AlertFirstTimestamp);
let lookupPeriod = 10m;
DeviceLogonEvents
| where Timestamp between ((timestamp - lookupPeriod) .. lookupPeriod)
        and DeviceId == DeviceId
        and LogonType == "Network"

Analytic Rule Definition

id: c4955324-02ff-46fa-a642-64952334482d
name: Events surrounding alert (3)
description: |
  This query looks for events that are near in time to a detected event.
  It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event (e.g. a detected event).
  This is useful when you have queries that you run often - e.g. as part of your regular investigation of an alert.
  Original query: filter for network logon events right before some timestamp.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceAlertEvents
  - AlertInfo
  - AlertEvidence
  - DeviceLogonEvents
query: |
  // Modified query: instead of copy-pasting the timestamp, get the timestamp of some event you can filter
  // In this example, take the time of the first detected event in an alert.
  // We filter on alertId - which you can get from all our APIs (SIEM, Graph API, PowerBI, DeviceAlertEvents table) or from the UI (the last part of the link to the alert page)
  let alertId = "636641078490537577_-1905871543";
  let alert = AlertInfo | join AlertEvidence on AlertId | where AlertId == alertId | summarize AlertFirstTimestamp=min(Timestamp) by DeviceId;
  let DeviceId = toscalar(alert | project DeviceId);
  let timestamp = toscalar(alert | project AlertFirstTimestamp);
  let lookupPeriod = 10m;
  DeviceLogonEvents
  | where Timestamp between ((timestamp - lookupPeriod) .. lookupPeriod)
          and DeviceId == DeviceId
          and LogonType == "Network"

Required Data Sources

Sentinel TableNotes
AlertEvidenceEnsure this data connector is enabled
DeviceLogonEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/General queries/Events surrounding alert (3).yaml