KQL Search

Query Details

Anomalous Token

Query

SecurityAlert
| where AlertName == "Anomalous Token"
| extend x = todynamic(Entities)
| parse-where x with * '"SessionId":"' RequestId '"' *
| project AlertTime=TimeGenerated, RequestId, CompromisedEntity, AlertName
| join kind=inner (
    AADUserRiskEvents)
    on $left.CompromisedEntity == $right.UserPrincipalName, RequestId
| project
    RiskTime=TimeGenerated,
    AlertTime,
    AlertName,
    RequestId,
    RiskLevel,
    RiskState,
    DetectionTimingType,
    UserPrincipalName,
    CorrelationId
| join kind=inner (
    SigninLogs
    | where TimeGenerated > ago(14d)
    )
    on CorrelationId
| project
    SigninTime=TimeGenerated,
    RiskTime,
    AlertName,
    AlertTime,
    UserPrincipalName,
    AppDisplayName,
    Location,
    IPAddress,
    RiskLevel,
    RiskState,
    DetectionTimingType, 
    UserAgent,
    ResultType

Explanation

This query retrieves information about security alerts related to anomalous tokens. It joins the SecurityAlert table with the AADUserRiskEvents table based on the CompromisedEntity and RequestId fields. Then, it joins the result with the SigninLogs table based on the CorrelationId field. The final result includes various fields such as SigninTime, RiskTime, AlertName, UserPrincipalName, AppDisplayName, Location, IPAddress, RiskLevel, RiskState, DetectionTimingType, UserAgent, and ResultType.

Details

Rod Trent

Released: December 24, 2021

Tables

SecurityAlertAADUserRiskEventsSigninLogs

Keywords

SecurityAlert,AlertName,Entities,SessionId,RequestId,CompromisedEntity,TimeGenerated,RiskTime,RiskLevel,RiskState,DetectionTimingType,UserPrincipalName,CorrelationId,SigninLogs,SigninTime,AppDisplayName,Location,IPAddress,UserAgent,ResultType

Operators

whereextendparse-whereprojectjoinonkind$left$rightwhereprojectjoinonproject

KQL Search

Anomalous Token

Query

Explanation

Details

Actions