Cette requête permet de :
- Surveiller les accès délégués via Kerberos dans Entra ID.
- Identifier les services accédés, les comptes initiateurs et les types de délégation.
- Filtrer les événements récents pour une détection en quasi temps réel.
let query_frequency = 1h;
let query_period = 14d;
IdentityLogonEvents
| where TimeGenerated > ago(query_period)
| where LogonType == "Delegated resource access"
| extend
KerberosDelegationType = tostring(AdditionalFields["KerberosDelegationType"]),
ActorObjectSid = AccountSid,
ActorObjectName = tostring(AdditionalFields["ACTOR.DEVICE"]),
TargetServicePrincipalNames = tostring(AdditionalFields["Spns"])
| summarize TimeGenerated = arg_min(TimeGenerated, *) by KerberosDelegationType, ActorObjectSid, ActorObjectName, IPAddress, TargetServicePrincipalNames, TargetDeviceName, TargetAccountDisplayName
| where TimeGenerated > ago(query_frequency)
| project
TimeGenerated,
Application,
ActionType,
LogonType,
Protocol,
KerberosDelegationType,
ActorObjectSid,
ActorObjectName,
IPAddress,
TargetServicePrincipalNames,
TargetDeviceName,
TargetAccountDisplayName,
AdditionalFields
Laisser un commentaire