Query Details

Azure Active Dirctory - PowerShell

Azure AD Power Shell

Query

let timeframe = 90d;
SigninLogs 
| where TimeGenerated >= ago(timeframe)
| where AppDisplayName has_any ("Azure Active Directory PowerShell","Microsoft Exchange Online Remote PowerShell")
| where ResultType != 0
| project TimeGenerated, Identity, Location, AlternateSignInName, AppDisplayName, AppId, DeviceDetail, IPAddress, LocationDetails, NetworkLocationDetails, AuthenticationDetails, ResultType, ResultDescription
| extend City = parse_json(LocationDetails["city"])
| extend DeviceOS = parse_json(DeviceDetail["operatingSystem"])
| extend Browser = parse_json(DeviceDetail["browser"])
| extend authenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod) 
| extend authenticationStepDateTime = tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime)
| extend succeeded = tostring(parse_json(AuthenticationDetails)[0].succeeded)
| project TimeGenerated,authenticationMethod,authenticationStepDateTime,succeeded, Identity, AlternateSignInName, AppDisplayName, AppId,IPAddress, DeviceOS, Browser,Location, City, ResultType, ResultDescription

About this query

Azure Active Dirctory - PowerShell

Query Information

Description

Use the below queries to identify Azure Active Directory sign-ins with Azure Active Directory PowerShell or Microsoft Exchange Online Remote PowerShell

References

Microsoft 365 Defender

Explanation

This query is used to identify Azure Active Directory sign-ins made using Azure Active Directory PowerShell or Microsoft Exchange Online Remote PowerShell. It filters the sign-in logs based on a specified timeframe and checks for specific application display names. It also includes various details such as time generated, identity, location, alternate sign-in name, app display name, app ID, device details, IP address, location details, network location details, authentication details, result type, and result description. Additionally, it parses and extends some fields like city, device operating system, browser, authentication method, authentication step date and time, and success status. The final result includes the selected fields for analysis.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

SigninLogs

Keywords

Keywords: SigninLogsTimeGeneratedIdentityLocationAlternateSignInNameAppDisplayNameAppIdDeviceDetailIPAddressLocationDetailsNetworkLocationDetailsAuthenticationDetailsResultTypeResultDescriptionCityDeviceOSBrowserauthenticationMethodauthenticationStepDateTimesucceeded

Operators

wherehas_any!=projectextendparse_jsontostring

Actions

GitHub