Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This detection uses Windows security events to look for users reading the local Device Identity Key (Machine Key). This information can be correlated with other events for additional context and get to use-cases where a machine key with a transport key together can be used to impersonate an Entra ID joined or registered machine. Reference: https://o365blog.com/post/deviceidentity/
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 9feddda0-6f46-43b4-a54f-5921e2b136b8 |
| Tactics | Credential Access |
| Techniques | T1552 |
| Required Connectors | SecurityEvents |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/SecurityEvent/UsersOpenReadDeviceIdentityKey.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊