Detecting High Risk Passkey Users

// Detecting High Risk Passkey Users // https://www.linkedin.com/posts/activity-7193644152645959682-ylGM/ // As the use of passkeys becomes more popular due to their phishing-resistant advantages and their additional security through device biometrics, it’s important to recognize that there is still a risk of device compromise or potential compromise of the password manager storing the sync-able passkey. Consequently, security operations must actively monitor passkey users who are considered high risk and be prepared to revoke their passkeys when necessary or exclude them from the FIDO sign in policy. // KQL for detecting High Risk Passkey Users: SigninLogs | where RiskEventTypes_V2 != "[]" | where RiskLevelAggregated == "high" | where RiskLevelDuringSignIn == "high" | where RiskState == "atRisk" | where AuthenticationDetails contains "FIDO2 security key"

Explanation

This KQL (Kusto Query Language) query is designed to identify high-risk users who are using passkeys, specifically FIDO2 security keys, for signing in. Here's a simplified summary:

Source Data: The query looks at the SigninLogs.
Risk Events: It filters out entries where there are any risk events (RiskEventTypes_V2 is not empty).
High Risk Levels: It further narrows down to entries where both the aggregated risk level (RiskLevelAggregated) and the risk level during sign-in (RiskLevelDuringSignIn) are marked as "high".
At Risk State: It ensures that the risk state is "atRisk".
FIDO2 Authentication: Finally, it checks if the authentication method used includes "FIDO2 security key".

In essence, this query helps security teams identify users who are considered high risk and are using FIDO2 security keys, so they can take appropriate actions such as revoking passkeys or modifying sign-in policies.

KQL Search

Detecting High Risk Passkey Users

Query

Explanation

Details

Actions