Adversaries may be leveraging recently detected activity to mask their lateral movement or command and control communications. SOC teams should proactively hunt for this behavior to identify potential follow-on actions that could indicate a broader compromise in the Azure Sentinel environment.
KQL Query
let DeviceId = "474908f457a1dc4c1fab568f808d5f77bf3bb951";
let timestamp = datetime(2018-06-09T02:23:26.6832917Z);
let lookupPeriod = 10m;
DeviceLogonEvents
| where Timestamp between ((timestamp - lookupPeriod) .. lookupPeriod)
and DeviceId == DeviceId
and LogonType == "Network"
id: a4dfa95d-eb8a-4d71-b669-dcb6dcfcf37a
name: Events surrounding alert
description: |
This query looks for events that are near in time to a detected event.
It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event (e.g. a detected event).
This is useful when you have queries that you run often - e.g. as part of your regular investigation of an alert.
Original query: filter for network logon events right before some timestamp.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceLogonEvents
query: |
let DeviceId = "474908f457a1dc4c1fab568f808d5f77bf3bb951";
let timestamp = datetime(2018-06-09T02:23:26.6832917Z);
let lookupPeriod = 10m;
DeviceLogonEvents
| where Timestamp between ((timestamp - lookupPeriod) .. lookupPeriod)
and DeviceId == DeviceId
and LogonType == "Network"
| Sentinel Table | Notes |
|---|---|
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually logs into a server to perform routine maintenance and then runs a script that generates a series of log entries within a short time window.
Filter/Exclusion: Exclude events related to known administrative tasks (e.g., event_id = 4624 with logon_type = 10) or filter by user account (e.g., user = "admin") and include a time window that matches typical maintenance windows.
Scenario: A scheduled job runs on a database server to back up data, which results in a spike in system events (e.g., disk I/O, process creation) around the same time as a suspicious event.
Filter/Exclusion: Exclude events that occur during scheduled backup windows (e.g., event_id = 41 or event_id = 4688 with process_name = "backup.exe") or use a time-based filter to exclude known job execution times.
Scenario: A user initiates a file transfer using a legitimate tool like rsync or scp, which generates a series of file system events (e.g., event_id = 1 or event_id = 4663) that could be mistaken for malicious activity.
Filter/Exclusion: Exclude events related to known file transfer tools (e.g., process_name = "rsync.exe" or process_name = "scp.exe") or filter by file paths that are known to be part of legitimate transfers.
Scenario: A security tool like Microsoft Defender or CrowdStrike performs a full system scan, generating a large number of events (e.g., event_id = 1 or event_id = 41) that could be mistaken for suspicious activity.
Filter/Exclusion: Exclude events that occur during scheduled scans (e.g.,