Query Details
Azure Cloud Account Takeover
Query
//Azure cloud account takeover //https://www.linkedin.com/feed/update/urn:li:activity:7163049034528481281/ SigninLogs | where TimeGenerated > ago(90d) | where UserAgent == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" | where AppDisplayName == "OfficeHome"
Explanation
This KQL (Kusto Query Language) query is designed to identify specific sign-in activities in Azure over the past 90 days. Here's a simple summary:
- Data Source: The query looks at the
SigninLogstable, which contains records of sign-in activities. - Time Frame: It filters the logs to include only those generated in the last 90 days.
- User Agent: It further narrows down the logs to those where the user agent string matches a specific browser configuration, indicating the use of a Linux-based system with a particular version of Chrome.
- Application: Finally, it filters the logs to include only those sign-ins that were made to the "OfficeHome" application.
In essence, this query is searching for sign-in attempts to the OfficeHome application from a Linux system using a specific version of the Chrome browser within the last 90 days.
Details
Steven Lim
Released: August 2, 2024
Tables
SigninLogs
Keywords
SigninLogsTimeGeneratedUserAgentAppDisplayName
Operators
SigninLogs|where>ago====