KQL Search

Query Details

HomeAI ToolsDevice Query

Azure AD Power Shell

Query

# Azure Active Dirctory - PowerShell

## Query Information

### Description

Use the below queries to identify Azure Active Directory sign-ins with Azure Active Directory PowerShell or Microsoft Exchange Online Remote PowerShell

#### References

### Microsoft 365 Defender

```kql
let timeframe = 90d;
SigninLogs 
| where TimeGenerated >= ago(timeframe)
| where AppDisplayName has_any ("Azure Active Directory PowerShell","Microsoft Exchange Online Remote PowerShell")
| where ResultType != 0
| project TimeGenerated, Identity, Location, AlternateSignInName, AppDisplayName, AppId, DeviceDetail, IPAddress, LocationDetails, NetworkLocationDetails, AuthenticationDetails, ResultType, ResultDescription
| extend City = parse_json(LocationDetails["city"])
| extend DeviceOS = parse_json(DeviceDetail["operatingSystem"])
| extend Browser = parse_json(DeviceDetail["browser"])
| extend authenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod) 
| extend authenticationStepDateTime = tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime)
| extend succeeded = tostring(parse_json(AuthenticationDetails)[0].succeeded)
| project TimeGenerated,authenticationMethod,authenticationStepDateTime,succeeded, Identity, AlternateSignInName, AppDisplayName, AppId,IPAddress, DeviceOS, Browser,Location, City, ResultType, ResultDescription
```

Explanation

This query is used to identify Azure Active Directory sign-ins made using Azure Active Directory PowerShell or Microsoft Exchange Online Remote PowerShell. It filters the sign-in logs based on a specified timeframe and checks for specific application display names. It also includes various details such as time generated, identity, location, alternate sign-in name, app display name, app ID, device details, IP address, location details, network location details, authentication details, result type, and result description. Additionally, it parses and extends some fields like city, device operating system, browser, authentication method, authentication step date and time, and success status. The final result includes the selected fields for analysis.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

SigninLogs

Keywords

Keywords:SigninLogs,TimeGenerated,Identity,Location,AlternateSignInName,AppDisplayName,AppId,DeviceDetail,IPAddress,LocationDetails,NetworkLocationDetails,AuthenticationDetails,ResultType,ResultDescription,City,DeviceOS,Browser,authenticationMethod,authenticationStepDateTime,succeeded

Operators

wherehas_any!=projectextendparse_jsontostring

Actions