Query Details
AAD Non Interactive User Sign In Logs Password Spray Attack Against Azure AD Seamless SSO
Query
let query_frequency = 30m;
let query_period = 1h;
let account_threshold = 5;
AADNonInteractiveUserSignInLogs
//| where ResultType == "81016"
| where ResultType startswith "81"
| as _Events
| join kind=leftsemi (
_Events
| evaluate activity_counts_metrics(UserId, TimeGenerated, ago(query_period), now(), query_frequency, ResultType)
| summarize
PreviousTimeGenerated = arg_min(TimeGenerated, PreviousUserCount = ["new_dcount"]),
CurrentTimeGenerated = arg_max(TimeGenerated, CurrentUserCount = ["new_dcount"])
by ResultType
| where CurrentTimeGenerated > ago(query_period)
| extend PreviousUserCount = iff(PreviousTimeGenerated == CurrentTimeGenerated, 0, PreviousUserCount)
| where CurrentUserCount > account_threshold
or (not(PreviousUserCount > account_threshold) and (PreviousUserCount + CurrentUserCount) > account_threshold)
) on ResultType
Explanation
This query is designed to analyze user sign-in logs from Azure Active Directory (AAD) for non-interactive users. It specifically looks at logs where the ResultType starts with "81".
The query is set to run every 30 minutes (query_frequency) and it looks at data from the past hour (query_period).
It calculates the number of unique users (UserId) who have signed in during each query period and compares this to the previous period.
If the current count of unique users exceeds a threshold of 5 (account_threshold), or if the sum of the current and previous counts exceeds this threshold (when the previous count did not), the query will return these records.
The join operation is used to combine the original sign-in logs with the calculated metrics based on the ResultType.
In simple terms, this query is used to monitor and alert on unusual sign-in activity, such as a sudden increase in the number of unique users signing in.
Details
Jose Sebastián Canós
Released: March 21, 2023
Tables
Keywords
Operators