KQL Search

Query Details

HomeAI ToolsDevice Query

Emergency Access Usage Alert

Query

# KQL query for usage of emergency access (break glass) accounts

To be used as a log analytics query as an alert rule with the following settings:

1. Signal name: Custom log search
2. Query: See query
3. Measurement: Aggregation granularity: 5 minutes
4. Alert logic: Operator: Greater than, Threshold value: 0, Frequency of evaluation: 5 minutes
5. Action group: Create new action group called "BreakGlassNotifications"
6. Email notify: Provide appropriate email address
7. Alert rule details: Severity: Critical, Alert rule name: Emergency Access Account Monitor, Alert rule description: "This alert will fire off in the event that an emergency access account is used for sign-in. These accounts should only be used in emergency situations and with prior approval."

```kusto
// Search for multiple Object IDs (UserIds) - Emergency access accounts
SigninLogs
| where UserId == "Object ID here" or UserId == "Object ID here"
| project TimeGenerated, Identity, UserPrincipalName, AppDisplayName, Status, Location, AuthenticationDetails
| order by TimeGenerated desc

```

Explanation

This KQL query is designed to monitor the usage of emergency access (break glass) accounts by analyzing sign-in logs. Here's a simplified summary of the query and its alert setup:

  1. Purpose: The query checks for sign-ins using specific emergency access accounts, identified by their Object IDs. These accounts are meant for use only in critical situations.

  2. Query Details:

    • It searches the SigninLogs for entries where the UserId matches specified Object IDs (representing emergency accounts).
    • It retrieves and displays details such as the time of the sign-in, the identity used, the user's principal name, the application accessed, the status of the sign-in, the location, and authentication details.
    • The results are sorted by the time the sign-in occurred, with the most recent sign-ins shown first.

  3. Alert Configuration:

    • Signal Name: Custom log search.
    • Measurement: The query checks the logs every 5 minutes.
    • Alert Logic: An alert is triggered if there is any sign-in activity (threshold greater than 0) from these accounts within the 5-minute evaluation period.
    • Action Group: A new action group called "BreakGlassNotifications" is created to handle alerts.
    • Email Notification: Alerts are sent to a specified email address.
    • Alert Rule Details:
      • Severity: Critical, indicating the high importance of monitoring these accounts.
      • Alert Rule Name: Emergency Access Account Monitor.
      • Description: The alert is triggered when an emergency access account is used, emphasizing that such usage should be pre-approved and only in emergencies.

Overall, this setup ensures that any unauthorized or unexpected use of emergency access accounts is promptly detected and reported, allowing for immediate investigation and response.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

SigninLogs

Keywords

SigninLogsUserIdTimeGeneratedIdentityUserPrincipalNameAppDisplayNameStatusLocationAuthenticationDetails

Operators

==or|whereprojectorder bydesc

Actions