Anomalous Token
Query
SecurityAlert
| where AlertName == "Anomalous Token"
| extend x = todynamic(Entities)
| parse-where x with * '"SessionId":"' RequestId '"' *
| project AlertTime=TimeGenerated, RequestId, CompromisedEntity, AlertName
| join kind=inner (
AADUserRiskEvents)
on $left.CompromisedEntity == $right.UserPrincipalName, RequestId
| project
RiskTime=TimeGenerated,
AlertTime,
AlertName,
RequestId,
RiskLevel,
RiskState,
DetectionTimingType,
UserPrincipalName,
CorrelationId
| join kind=inner (
SigninLogs
| where TimeGenerated > ago(14d)
)
on CorrelationId
| project
SigninTime=TimeGenerated,
RiskTime,
AlertName,
AlertTime,
UserPrincipalName,
AppDisplayName,
Location,
IPAddress,
RiskLevel,
RiskState,
DetectionTimingType,
UserAgent,
ResultTypeExplanation
This query retrieves information about security alerts related to anomalous tokens. It joins the SecurityAlert table with the AADUserRiskEvents table based on the CompromisedEntity and RequestId fields. Then, it joins the result with the SigninLogs table based on the CorrelationId field. The final result includes various fields such as SigninTime, RiskTime, AlertName, UserPrincipalName, AppDisplayName, Location, IPAddress, RiskLevel, RiskState, DetectionTimingType, UserAgent, and ResultType.
Details

Rod Trent
Released: December 24, 2021
Tables
SecurityAlertAADUserRiskEventsSigninLogs
Keywords
SecurityAlertAlertNameEntitiesSessionIdRequestIdCompromisedEntityTimeGeneratedRiskTimeRiskLevelRiskStateDetectionTimingTypeUserPrincipalNameCorrelationIdSigninLogsSigninTimeAppDisplayNameLocationIPAddressUserAgentResultType
Operators
whereextendparse-whereprojectjoinonkind$left$right