Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Identifies anomalous device logon events from Microsoft Defender for Endpoint (MDE) where a user connects to a device for the first time or a device connects from a new IP address. The query filters high-priority anomalies and provides key details such as timestamp, action type, source IP, location, and associated user, device, and activity insights for investigation.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | UEBA Essentials |
| ID | c3d4e5f6-g7h8-9012-cdef-gh3456789012 |
| Tactics | InitialAccess, LateralMovement |
| Techniques | T1078, T1021 |
| Required Connectors | BehaviorAnalytics |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
BehaviorAnalytics |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊