Query Details
Azure Activity From Other Ip Address
Query
// Azure Activity from IP Address which is different from sign-in
AzureActivity
| where parse_json(tostring(Authorization_d.evidence)).principalType == "ServicePrincipal"
| extend ClaimsObjectIdentifier = parse_json(Claims).["http://schemas.microsoft.com/identity/claims/objectidentifier"]
| extend parsedClaims = parse_json(Claims_d)
| project TimeGenerated, CorrelationId, OperationName, ResourceProviderValue, _ResourceId, ActivityIpAddress = CallerIpAddress, AppId = Claims_d.appid, Uti = tostring(Claims_d.uti)
| join kind=inner (union AADServicePrincipalSignInLogs, AADManagedIdentitySignInLogs
| project ConditionalAccessPolicies, ConditionalAccessStatus, ServicePrincipalCredentialKeyId, SignInIpAddress = IPAddress, UniqueTokenIdentifier
) on $left.Uti == $right.UniqueTokenIdentifier
| where ActivityIpAddress != SignInIpAddress and SignInIpAddress != ""Explanation
This query retrieves Azure activity from an IP address that is different from the IP address used for sign-in. It filters the activity to only include service principals, and then joins it with sign-in logs for service principals and managed identities. The final filter ensures that the activity IP address is different from the sign-in IP address.
Details
Thomas Naunheim
Released: October 15, 2023
Tables
AzureActivityAADServicePrincipalSignInLogsAADManagedIdentitySignInLogs
Keywords
AzureActivity,Authorization_d,ClaimsObjectIdentifier,Claims,http://schemas.microsoft.com/identity/claims/objectidentifier,parsedClaims,TimeGenerated,CorrelationId,OperationName,ResourceProviderValue,_ResourceId,CallerIpAddress,AppId,Claims_d,uti,AADServicePrincipalSignInLogs,AADManagedIdentitySignInLogs,ConditionalAccessPolicies,ConditionalAccessStatus,ServicePrincipalCredentialKeyId,SignInIpAddress,UniqueTokenIdentifier
Operators
whereparse_jsontostringextendprojectjoinkind=innerunionon$left$right!=