KQL Search

Query Details

HomeAI ToolsDevice Query

Disabled Account Attack Disruption

Query

# Disabled Account Attack Disruption

## Query Information

#### Description
Attack disruption disabled a cloud/hybrid account due to suspicious activities. The query lists the accounts that have been disabled by MDI.

#### Risk
The account has been disabled due to suspicious activities. 

#### References
- https://learn.microsoft.com/en-us/defender-cloud-apps/protect-azure
- https://learn.microsoft.com/en-us/defender-xdr/automatic-attack-disruption

## Defender XDR
```KQL
CloudAppEvents
| where ActionType == "Disable account."
// Disabled by Microsoft Defender for Identity
| where AccountId == "60ca1954-583c-4d1f-86de-39d835f3e452"
| extend DisabledAccount = tostring(RawEventData.ObjectId)
| project Timestamp, ActionType, DisabledAccount
```

## Sentinel
```KQL
CloudAppEvents
| where ActionType == "Disable account."
// Disabled by Microsoft Defender for Identity
| where AccountId == "60ca1954-583c-4d1f-86de-39d835f3e452"
| extend DisabledAccount = tostring(RawEventData.ObjectId)
| project TimeGenerated, ActionType, DisabledAccount
```

Explanation

This query is designed to identify and list cloud or hybrid accounts that have been disabled by Microsoft Defender for Identity due to suspicious activities. The query is executed in two environments: Defender XDR and Sentinel. Here's a simplified breakdown:

  1. Purpose: The query aims to detect accounts that have been automatically disabled because they were involved in suspicious activities, which could indicate a security threat.

  2. Data Source: It examines events from CloudAppEvents, which logs various actions related to cloud applications.

  3. Filter Criteria:

    • The action type must be "Disable account," indicating that the account was disabled.
    • The disabling action must be performed by Microsoft Defender for Identity, as identified by a specific AccountId ("60ca1954-583c-4d1f-86de-39d835f3e452").

  4. Output:

    • The query extracts and displays the timestamp of the event, the action type, and the ID of the disabled account.
    • In Defender XDR, the timestamp is labeled as Timestamp, while in Sentinel, it is labeled as TimeGenerated.

  5. Risk: The accounts listed by this query are considered at risk because they were disabled due to potentially malicious activities.

This query helps security teams quickly identify and respond to accounts that have been flagged and disabled for security reasons.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 8, 2025

Tables

CloudAppEvents

Keywords

CloudAppEventsAccountIdRawEventDataObjectIdTimestampTimeGeneratedActionTypeDisabledAccountMicrosoftDefenderIdentity

Operators

where==extendtostringproject

Actions