Auto Disable High Risk AD User
Query
// AH custom detection: disable when user risk flipped HIGH within the lookback (e.g., last 1h)
// IMPORTANT: When creating the detection rule, set the frequency to run every hour.
// At 1h frequency, Advanced Hunting evaluates the last 4h of data (lookback).
// This query ensures it only triggers if a user's risk was set to HIGH within a 1h window.
// Requires Defender for Identity
let RiskWindow = 1h;
IdentityLogonEvents
| where Timestamp > ago(30d) // wide window just to borrow a ReportId (AH requires it)
| summarize arg_max(Timestamp, ReportId, AccountUpn, AccountObjectId, Application, LogonType)
by AccountObjectId
| join kind=inner (
IdentityInfo
| summarize ArgTS = arg_max(Timestamp, RiskLevel, RiskLevelDetails, OnPremSid) by AccountUpn, AccountObjectId
| where RiskLevel =~ "high" or RiskLevelDetails has "adminConfirmedUserCompromised"
| where ArgTS > ago(RiskWindow)
| project AccountObjectId, AccountUpn, OnPremSid, // <-- include SID
RiskLevel, RiskLevelDetails, RiskSetTime = ArgTS
) on AccountObjectId
// Exclusions: update these!
| where AccountUpn !in~ ("[email protected]","[email protected]")
| project
ReportId, // REQUIRED for custom detections
Timestamp, // REQUIRED (keep name exactly)
AccountUpn, AccountObjectId,
OnPremSid, // <-- REQUIRED for the "Disable user" action
RiskSetTime, RiskLevel, RiskLevelDetails,
Application, LogonTypeExplanation
This query is designed to detect when a user's risk level is elevated to "HIGH" within a specific time frame, specifically within the last hour. It is intended to be used with Microsoft Defender for Identity and should be set to run every hour. Here's a simplified breakdown of what the query does:
-
Define a Risk Window: The query sets a time window of 1 hour (
RiskWindow = 1h) to check for risk level changes. -
Fetch Logon Events: It retrieves identity logon events from the past 30 days to get the most recent logon details for each user. This includes information like the timestamp, report ID, account UPN (User Principal Name), account object ID, application, and logon type.
-
Join with Identity Info: The query then joins this logon data with identity information to find users whose risk level is either "high" or marked as "adminConfirmedUserCompromised" within the last hour.
-
Filter Exclusions: It excludes specific accounts (e.g., "[email protected]" and "[email protected]") from triggering the detection.
-
Select Relevant Data: Finally, it selects and projects relevant fields such as the report ID, timestamp, account UPN, account object ID, on-premises SID, risk set time, risk level, risk level details, application, and logon type.
This query is part of a custom detection rule that helps identify potentially compromised accounts by monitoring for sudden increases in user risk levels, allowing for timely security responses.
Details

Nathan Hutchinson
Released: February 12, 2026
Tables
Keywords
Operators