← Back to SOC feed Coverage →

Recon Activity with Interactive Logon Correlation

kql MEDIUM Azure-Sentinel
T1190T1078
SecurityAlertSecurityEvent
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-06-03T11:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may use interactive logon sessions to establish persistent access after initial reconnaissance, leveraging T1190 and T1078 to move laterally and maintain control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential post-compromise activity and prevent further lateral movement.

KQL Query

SecurityAlert
| where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans')
| summarize count(),make_set(AlertName) by WorkspaceSubscriptionId,CompromisedEntity= toupper(CompromisedEntity),TimeGenerated
| extend number_alerts = array_length(set_AlertName)
| join kind=inner
(
SecurityEvent
| where EventID == 4624 and LogonType == 10
  | project  Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName,Interactivelogontime=TimeGenerated
  ) on  $left.CompromisedEntity==$right.Computer
  | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress
  | extend TimeWindow = TimeGenerated + 15m
  | where Interactivelogontime between (TimeGenerated .. TimeWindow)

Analytic Rule Definition

id: 346d36c9-2e79-4d8f-8c14-1eef73d38737
name: Recon Activity with Interactive Logon Correlation
description: |
  'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity'
requiredDataConnectors:
  - connectorId: AzureSecurityCenter
    dataTypes:
      - SecurityAlert (ASC)
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes: 
      - SecurityEvents 
  - connectorId: WindowsForwardedEvents
    dataTypes: 
      - WindowsEvent 
tactics:
  - InitialAccess
  - Impact
relevantTechniques:
  - T1190
  - T1078
query: |
    SecurityAlert
    | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans')
    | summarize count(),make_set(AlertName) by WorkspaceSubscriptionId,CompromisedEntity= toupper(CompromisedEntity),TimeGenerated
    | extend number_alerts = array_length(set_AlertName)
    | join kind=inner
    (
    SecurityEvent
    | where EventID == 4624 and LogonType == 10
      | project  Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName,Interactivelogontime=TimeGenerated
      ) on  $left.CompromisedEntity==$right.Computer
      | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress
      | extend TimeWindow = TimeGenerated + 15m
      | where Interactivelogontime between (TimeGenerated .. TimeWindow)
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IpAddress

Required Data Sources

Sentinel TableNotes
SecurityAlertEnsure this data connector is enabled
SecurityEventEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml