KQL Search

Query Details

HomeAI ToolsDevice Query

Auto Disable High Risk AD User

Query

// AH custom detection: disable when user risk flipped HIGH within the lookback (e.g., last 1h)
// IMPORTANT: When creating the detection rule, set the frequency to run every hour. 
// At 1h frequency, Advanced Hunting evaluates the last 4h of data (lookback).
// This query ensures it only triggers if a user's risk was set to HIGH within a 1h window.
// Requires Defender for Identity
let RiskWindow = 1h;
IdentityLogonEvents
| where Timestamp > ago(30d)   // wide window just to borrow a ReportId (AH requires it)
| summarize arg_max(Timestamp, ReportId, AccountUpn, AccountObjectId, Application, LogonType)
          by AccountObjectId
| join kind=inner (
    IdentityInfo
    | summarize ArgTS = arg_max(Timestamp, RiskLevel, RiskLevelDetails, OnPremSid) by AccountUpn, AccountObjectId
    | where RiskLevel =~ "high" or RiskLevelDetails has "adminConfirmedUserCompromised"
    | where ArgTS > ago(RiskWindow)
    | project AccountObjectId, AccountUpn, OnPremSid,       // <-- include SID
              RiskLevel, RiskLevelDetails, RiskSetTime = ArgTS
) on AccountObjectId
// Exclusions: update these!
| where AccountUpn !in~ ("[email protected]","[email protected]")
| project
    ReportId,                 // REQUIRED for custom detections
    Timestamp,                // REQUIRED (keep name exactly)
    AccountUpn, AccountObjectId,
    OnPremSid,                // <-- REQUIRED for the "Disable user" action
    RiskSetTime, RiskLevel, RiskLevelDetails,
    Application, LogonType

Explanation

This query is designed to detect when a user's risk level is set to "HIGH" within a specific time frame, specifically a 1-hour window, using Microsoft Defender for Identity. Here's a simplified breakdown of what the query does:

  1. Define Risk Window: It sets a 1-hour window (RiskWindow = 1h) to check for changes in user risk levels.

  2. Fetch Recent Logon Events: It retrieves logon events from the past 30 days to find the most recent logon details for each user. This includes information like the timestamp, report ID, user principal name (UPN), and logon type.

  3. Identify High-Risk Users: It then joins this logon data with identity information to find users whose risk level was set to "HIGH" or marked as "adminConfirmedUserCompromised" within the last hour.

  4. Exclude Specific Users: The query excludes certain users (e.g., "[email protected]" and "[email protected]") from triggering the detection.

  5. Output Relevant Information: Finally, it outputs necessary details such as the report ID, timestamp, user information, risk level, and logon details. This information is crucial for taking actions like disabling a user account if needed.

The query is intended to be run every hour, and it evaluates data from the last 4 hours to ensure it captures any risk level changes within the specified 1-hour window. This setup is part of a custom detection rule in Advanced Hunting, which requires specific fields like ReportId and Timestamp for proper functioning.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

IdentityLogonEventsIdentityInfo

Keywords

IdentityLogonEventsIdentityInfoAccountUpnAccountObjectIdRiskLevelRiskLevelDetailsOnPremSidApplicationLogonTypeReportIdTimestamp

Operators

let|where>agosummarizearg_maxbyjoinkind=inner=~orhasproject!in~,

Actions