Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.

Pseudocode

flow = search Flow:Message
smb_setup = filter flow where (dest_port == 445 and protocol == smb.setup)
smb_setup.user = smb_write.proto_info.user_name
smb_setup.target_host = smb_write.proto_info.hostname
output smb_write

Additional Notes:

This analytic monitors SMB activity that deals with user activity rather than file activity.

Data Model References

Object Action Field
flow message dest_port
flow message proto_info
flow message protocol