Query Details

Enriched Entra Sign In Logs Token Protection Network Access

Query

// Correlation of sign-in with details about Token Protection status and Global Secure Access
// Hunting query to correlate UniqueTokenIdentifier for identify Network Access Traffic event (in Global Secure Access) of Token Endpoint request
// and showing details of token binding

union SigninLogs, AADNonInteractiveUserSignInLogs
// Optional: Filter for specific time window, user and only successful sign-ins
// | where UserPrincipalName == "<UserPrincipalName>"
//         and CreatedDateTime between ( todatetime('<StartTime>') .. todatetime('<EndTime>') )
//         and ResultType == "0"
// Filter for sign-ins to home tenant only
| where HomeTenantId == ResourceTenantId
// Expand device details
| extend DeviceDetail = iff(isempty( DeviceDetail_dynamic ), todynamic(DeviceDetail_string), DeviceDetail_dynamic)
| extend DeviceId = tostring(tolower(DeviceDetail.deviceId))
| extend DeviceName = tostring(toupper(DeviceDetail.displayName))
// Expand Token Protection Status details
| extend TokenProtectionStatus = iff(isempty( TokenProtectionStatusDetails_dynamic ), todynamic(TokenProtectionStatusDetails_string), TokenProtectionStatusDetails_dynamic)
| extend SignInSessionStatus = tostring(TokenProtectionStatus.signInSessionStatus)
// Correlate token acquisition with NetworkAccessTraffic logs from GSA
| join kind = leftouter (
    NetworkAccessTraffic
    | project TimeGenerated, TransactionId, ConnectionId, IPAddress = SourceIp, AgentVersion, UserId, DeviceId, UniqueTokenIdentifier = UniqueTokenId, InitiatingProcessName
) on UserId, DeviceId, UniqueTokenIdentifier, IPAddress
// Summarize Results
| project CreatedDateTime, SessionId, IncomingTokenType, SignInSessionStatus, UniqueTokenIdentifier, AppDisplayName, ResourceDisplayName, ClientAppUsed, IsThroughGlobalSecureAccess, InitiatingProcessName, IPAddress, GlobalSecureAccessIpAddress, Location, AutonomousSystemNumber
// Optional: Filtering for specific SessionId
//| where SessionId == @"<SessionId>"
| sort by CreatedDateTime asc

Explanation

This query is designed to analyze and correlate sign-in events with network access traffic, focusing on token protection status and global secure access. Here's a simplified breakdown:

  1. Data Sources: The query combines data from two sources: SigninLogs and AADNonInteractiveUserSignInLogs. These logs contain information about user sign-ins.

  2. Filtering:

    • It optionally allows filtering by a specific user, time window, and successful sign-ins.
    • It specifically looks at sign-ins to the user's home tenant.
  3. Device and Token Details:

    • The query extracts and formats device details, such as DeviceId and DeviceName.
    • It also extracts token protection status details, focusing on the SignInSessionStatus.
  4. Correlation with Network Access Traffic:

    • The query joins the sign-in data with NetworkAccessTraffic logs using common fields like UserId, DeviceId, UniqueTokenIdentifier, and IPAddress.
    • This helps in identifying network access events related to token endpoint requests.
  5. Output:

    • The final output includes various details such as the time of creation, session ID, token type, session status, application names, client app used, and network details.
    • It sorts the results by the creation date and time in ascending order.

Overall, this query helps in understanding the relationship between sign-in events and network access activities, with a focus on token protection and secure access mechanisms.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 19, 2025

Tables

SigninLogsAADNonInteractiveUserSignInLogsNetworkAccessTraffic

Keywords

SigninLogsAADNonInteractiveUserSignInLogsDeviceDetailTokenProtectionStatusNetworkAccessTrafficGlobalSecureAccessUserDeviceTokenEndpointNetworkAccessTrafficSessionAutonomousSystemNumberLocationIPAddress

Operators

unionwhereextendiffisemptytodynamictostringtolowertoupperjoinprojectsort

Actions

GitHub