KQL Search

Query Details

HomeAI ToolsDevice Query

Add Passkey Device Bound MS Authenticator Windows Hello Detection

Query

// Add Passkey device-bound MS Authenticator Windows Hello detection
// https://www.linkedin.com/posts/activity-7191839187543728128-DQ02/

// With the public preview of expanding Entra passkey options, Entra admins will now need to make sure passkeys are properly managed as part of the security key life cycle management for both privilege and non-privilege roles. Security operations will also need to have detection on *NEW* passkey added from both malicious or non-malicious perspectives so that threat can be monitor and mitigated when required.🫡 

AuditLogs
| where ActivityDisplayName contains "Add Passkey"
| where Result == "success"
| extend AccountUPN = TargetResources[0].userPrincipalName
| extend AAGUID = AdditionalDetails[1].value
| extend WebAuthnInfo = AdditionalDetails[0].value
| project TimeGenerated, AccountUPN, ActivityDisplayName, AAGUID, WebAuthnInfo

Explanation

This KQL (Kusto Query Language) query is designed to help security operations teams monitor the addition of new passkeys in Microsoft Entra (formerly Azure AD). Here's a simple summary of what the query does:

  1. Source: It looks at the AuditLogs table.
  2. Filter: It filters the logs to find entries where the activity name contains "Add Passkey" and the result was successful.
  3. Extract Information: It extracts specific details from these logs:
    • AccountUPN: The user principal name (email) of the account involved.
    • AAGUID: A unique identifier for the authenticator.
    • WebAuthnInfo: Additional Web Authentication information.
  4. Output: It then selects and displays the following columns:
    • TimeGenerated: When the activity occurred.
    • AccountUPN: The user principal name.
    • ActivityDisplayName: The name of the activity.
    • AAGUID: The unique authenticator identifier.
    • WebAuthnInfo: Additional Web Authentication information.

This query helps administrators and security teams track and manage the addition of new passkeys, ensuring they can detect and respond to both legitimate and potentially malicious activities involving passkeys.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

AuditLogs

Keywords

AuditLogs

Operators

contains==extendprojectwhere

Actions