Query Details
Azure CLI Spray ASN 53667
Query
// Azure CLI Spray - ASN 53667 // https://www.linkedin.com/posts/activity-7216141179648716800-703J/ // Defenders take note of this ASN using IPV6 to conduct Azure CLI Spray on your Entra Tenant. Use the below KQL to check against you Sentinel.🤝 // ASN 53667 Lookup - https://lnkd.in/gAVK5htd SigninLogs | where TimeGenerated > ago(30d) | where ResultType == "50126" or ResultType == "50053" | where UserAgent == "node-fetch" | where AutonomousSystemNumber == "53667" | where AppDisplayName == "Microsoft Azure CLI"
Explanation
This query is designed to help defenders identify potential malicious activity related to Azure CLI Spray attacks on their Entra Tenant. Specifically, it looks for failed sign-in attempts (ResultType "50126" or "50053") that are using the "node-fetch" user agent and originate from Autonomous System Number (ASN) 53667. The query focuses on sign-in logs from the past 30 days where the application used is "Microsoft Azure CLI".
Here's a simplified breakdown:
- Data Source: Sign-in logs.
- Time Frame: Last 30 days.
- Conditions:
- Failed sign-in attempts (ResultType "50126" or "50053").
- User agent is "node-fetch".
- ASN is "53667".
- Application is "Microsoft Azure CLI".
The purpose is to detect and investigate suspicious activities that match these criteria.
Details
Steven Lim
Released: August 2, 2024
Tables
SigninLogs
Keywords
SigninLogsAutonomousSystemNumberUserAgentAppDisplayNameResultTypeTimeGenerated
Operators
ago>==or======