KQL Search

Query Details

HomeAI ToolsDevice Query

AAD Non Interactive User Sign In Logs Unexpected Authentication From Windows Azure Active Directory App

Query

// Since 6th January 2025 threat actors have started using this app (or a specific endpoint) to perform password spray with characteristic properties.
// let _SuccessResultTypes = toscalar(
//     _GetWatchlist("ResultType-SignInLogsErrorCodes")
//     | where Notes has_any ("[Expired]", "[Success]") and isnotempty(ResultDescription)
//     | summarize make_list(ResultType)
// );
AADNonInteractiveUserSignInLogs
| where AppId == "00000002-0000-0000-c000-000000000000" // Windows Azure Active Directory - ResourceIdentity and ResourceDisplayName are empty
| where not(ResultType in (50126, 50053)) // usually ResultTypes 50126, 50053
// | where ClientAppUsed == "Other clients" and UserAgent == "fasthttp"
// | where ResultType in (_SuccessResultTypes) or AuthenticationDetails has 'succeeded":true'
| project-reorder
    CreatedDateTime,
    Category,
    UserPrincipalName,
    AlternateSignInName,
    IPAddress,
    Location,
    AutonomousSystemNumber,
    ResultType,
    ResultDescription,
    AuthenticationDetails,
    AppDisplayName,
    UserAgent,
    AppId,
    UserId,
    OriginalRequestId,
    CorrelationId

Explanation

This KQL query is designed to analyze Azure Active Directory non-interactive user sign-in logs to identify potential password spray attacks that have been occurring since January 6, 2025. Here's a simplified breakdown of what the query does:

  1. Define Success Result Types: It first determines a list of result types that are considered successful or expired by referencing a watchlist named "ResultType-SignInLogsErrorCodes". This list is used to filter the logs later.

  2. Filter Logs: The query focuses on logs where the application ID is "00000002-0000-0000-c000-000000000000", which corresponds to Windows Azure Active Directory. It specifically excludes logs with result types 50126 and 50053, which are typically associated with certain errors.

  3. Project Relevant Data: The query then selects and orders specific fields from the logs for further analysis. These fields include the date and time of the log, user information, IP address, location, result type and description, authentication details, application display name, user agent, and various identifiers.

Overall, the query is set up to identify and analyze specific sign-in attempts that might be indicative of password spray attacks, focusing on successful or expired attempts while excluding certain error types.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: January 23, 2025

Tables

AADNonInteractiveUserSignInLogs

Keywords

AADNonInteractiveUserSignInLogs

Operators

lettoscalar_GetWatchlisthas_anyisnotemptysummarizemake_listwhereinproject-reorder

Actions