Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This detection uses Windows security events to look for users reading the local Device Identity Key (Machine Key). This information can be correlated with other events for additional context and get to use-cases where a machine key with a transport key together can be used to impersonate an Entra ID joined or registered machine. Reference: https://o365blog.com/post/deviceidentity/
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 9feddda0-6f46-43b4-a54f-5921e2b136b8 |
| Tactics | Credential Access |
| Techniques | T1552 |
| Required Connectors | SecurityEvents |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
SecurityEvent |
✓ | ✓ | ? |
The following connectors provide data for this content item:
| Connector | Solution |
|---|---|
| WindowsSecurityEvents | Windows Security Events |
Solutions: Windows Security Events
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊