Forum Discussion
HeikeRitter
Microsoft
MicrosoftNinja Cat Giveaway: Episode 7 | Defender for Identity and Defender for Endpoint: Better to together
For this episode, your opportunity to win a plush ninja cat is the following -
Tell us about an alert that started either from Defender for Endpoint or Defender for Identity and what additional inf...
Absolutely useful to find and kill NTLM in Environments:
IdentityLogonEvents
| where TimeGenerated > ago(7d)
| where ActionType == "LogonSuccess"
| where Protocol == "Ntlm"
| where LogonType == "Credentials validation"
| summarize ['Target Device List']=make_set(DestinationDeviceName), ['Target Device Count']=dcount(DestinationDeviceName) by DeviceName, AccountName
| sort by ['Target Device Count'] desc
HeikeRitter
IdentityLogonEvents
| where TimeGenerated > ago(7d)
| where ActionType == "LogonSuccess"
| where Protocol == "Ntlm"
| where LogonType == "Credentials validation"
| summarize ['Target Device List']=make_set(DestinationDeviceName), ['Target Device Count']=dcount(DestinationDeviceName) by DeviceName, AccountName
| sort by ['Target Device Count'] desc
HeikeRitter