KQL Search

Query Details

HomeAI ToolsDevice Query

AAD Service Principal Risk Events Service Principal At Risk

Query

// This query checks Azure AD Identity Protection risk detections for workload identities, and tries to summarize them, because Identity Protection does not trigger always a SecurityAlert for those events.
let query_frequency = 1h;
let query_period = 7d;
AADServicePrincipalRiskEvents
| where TimeGenerated > ago(query_period)
| summarize
    ConfirmedTimeGenerated = maxif(TimeGenerated, RiskState == "confirmedCompromised"),
    arg_min(TimeGenerated, *)
    by Id
| where case(
    isnotempty(ConfirmedTimeGenerated), false,
    isempty(ActivityDateTime) and isempty(DetectedDateTime) and isnotempty(LastUpdatedDateTime) and RiskState == "dismissed", false,
    RiskDetail == "aiConfirmedSigninSafe" and RiskState == "dismissed", false,
    true
    )
| summarize arg_min(TimeGenerated, *) by ServicePrincipalId, RiskEventType, DetectionTimingType, RiskLevel, RiskState
| where TimeGenerated > ago(query_frequency)
| extend AlertSeverity = strcat(toupper(substring(RiskLevel, 0, 1)), substring(RiskLevel, 1))
| project
    TimeGenerated,
    ServicePrincipalDisplayName, 
    IpAddress,
    Location,
    OperationName,
    RiskEventType,
    RiskLevel,
    DetectionTimingType,
    RiskState,
    RiskDetail,
    AdditionalInfo,
    Activity,
    ServicePrincipalId,
    AppId,
    CorrelationId,
    RequestId,
    ActivityDateTime,
    DetectedDateTime,
    LastUpdatedDateTime,
    Id,
    AlertSeverity

Explanation

This query is checking for potential security risks in Azure AD Identity Protection for workload identities over the past week. It's specifically looking for confirmed compromises and summarizing them by their unique ID.

The query then filters out any events that have been confirmed and dismissed, or any that have been deemed safe by artificial intelligence and dismissed.

After this, it summarizes the remaining events by their Service Principal ID, Risk Event Type, Detection Timing Type, Risk Level, and Risk State. It only includes events that have occurred within the last hour.

The query then assigns a severity level to each alert based on its risk level.

Finally, it displays a range of information about each event, including the time it was generated, the display name of the service principal, the IP address, location, operation name, risk event type, risk level, detection timing type, risk state, risk detail, additional info, activity, service principal ID, app ID, correlation ID, request ID, activity date and time, detected date and time, last updated date and time, ID, and alert severity.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: August 18, 2022

Tables

AADServicePrincipalRiskEvents

Keywords

AzureAD,IdentityProtection,RiskDetections,WorkloadIdentities,SecurityAlert,QueryFrequency,QueryPeriod,AADServicePrincipalRiskEvents,TimeGenerated,ConfirmedTimeGenerated,RiskState,ActivityDateTime,DetectedDateTime,LastUpdatedDateTime,RiskDetail,ServicePrincipalId,RiskEventType,DetectionTimingType,RiskLevel,AlertSeverity,ServicePrincipalDisplayName,IpAddress,Location,OperationName,AdditionalInfo,Activity,AppId,CorrelationId,RequestId,Id

Operators

letwhereagosummarizemaxifarg_minbycaseisnotemptyisemptytrueextendstrcattouppersubstringproject.

Actions