KQL Search

Query Details

HomeAI ToolsDevice Query

DCA Risk Event Followedby Mailbox Rule Changes

Query

//Alert when a user flags an Azure AD risk event followed by creating or updating inbox rules within a short time frame

//Data connector required for this query - Azure Active Directory - AAD User Risk Events
//Data connector required for this query - M365 Defender - CloudAppEvents

//In this example it will detect when the two events are less than 120 minutes apart
AADUserRiskEvents
| where TimeGenerated > ago (1d)
| where DetectionTimingType == "realtime"
| where RiskDetail <> "aiConfirmedSigninSafe"
| project RiskTime=TimeGenerated, UserPrincipalName, RiskEventType, RiskyIP=IpAddress
| join kind=inner (
    CloudAppEvents
    | where TimeGenerated > ago (1d)
    | extend Operation = tostring(RawEventData.Operation)
    | where Operation in ("New-InboxRule", "Set-InboxRule")
    | extend UserId = tostring(RawEventData.UserId)
    | project RuleTime=TimeGenerated, UserId, MailForwardIP=IPAddress, ActivityObjects
    )
    on $left.UserPrincipalName == $right.UserId
| extend ['Minutes Between Events']=datetime_diff("minute", RuleTime, RiskTime)
| where ['Minutes Between Events'] < 120
| project-away UserId
| project-reorder
    UserPrincipalName,
    RiskTime,
    RuleTime,
    ['Minutes Between Events'],
    RiskyIP,
    MailForwardIP,
    RiskEventType,
    ActivityObjects

Explanation

This query detects when a user flags an Azure AD risk event and then creates or updates inbox rules within a short time frame. It uses two data connectors - Azure Active Directory User Risk Events and M365 Defender CloudAppEvents. The query filters the events based on certain conditions, joins the two datasets, calculates the time difference between the events, and selects specific columns for the final result. The result includes information such as user principal name, risk event time, rule event time, minutes between events, risky IP, mail forward IP, risk event type, and activity objects.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AADUserRiskEventsCloudAppEvents

Keywords

AADUserRiskEvents,CloudAppEvents,TimeGenerated,DetectionTimingType,RiskDetail,UserPrincipalName,RiskEventType,IpAddress,Operation,RawEventData,UserId,MailForwardIP,ActivityObjects

Operators

agowhereprojectjoinextenddatetime_diffproject-awayproject-reorder

Actions