Query Details
Enriched Entra Sign In Logs Token Protection Network Access
Query
// Correlation of sign-in with details about Token Protection status and Global Secure Access
// Hunting query to correlate UniqueTokenIdentifier for identify Network Access Traffic event (in Global Secure Access) of Token Endpoint request
// and showing details of token binding
union SigninLogs, AADNonInteractiveUserSignInLogs
// Optional: Filter for specific time window, user and only successful sign-ins
// | where UserPrincipalName == "<UserPrincipalName>"
// and CreatedDateTime between ( todatetime('<StartTime>') .. todatetime('<EndTime>') )
// and ResultType == "0"
// Filter for sign-ins to home tenant only
| where HomeTenantId == ResourceTenantId
// Expand device details
| extend DeviceDetail = iff(isempty( DeviceDetail_dynamic ), todynamic(DeviceDetail_string), DeviceDetail_dynamic)
| extend DeviceId = tostring(tolower(DeviceDetail.deviceId))
| extend DeviceName = tostring(tolower(DeviceDetail.displayName))
// Expand Token Protection Status details
| extend TokenProtectionStatus = iff(isempty( TokenProtectionStatusDetails_dynamic ), todynamic(TokenProtectionStatusDetails_string), TokenProtectionStatusDetails_dynamic)
| extend SignInSessionStatus = tostring(TokenProtectionStatus.signInSessionStatus)
// Correlate token acquisition with NetworkAccessTraffic logs from GSA
| join kind = leftouter ( NetworkAccessTraffic
| project TimeGenerated, TransactionId, ConnectionId, IPAddress = SourceIp, AgentVersion, UserId, DeviceId, UniqueTokenIdentifier = UniqueTokenId, InitiatingProcessName
) on UserId, DeviceId, UniqueTokenIdentifier, IPAddress
| extend IsThroughGlobalSecureAccess = iff(isnotempty(TransactionId), true, false)
// Summarize results for simplified view
| project CreatedDateTime, SessionId, IncomingTokenType, SignInSessionStatus, UniqueTokenIdentifier, AppDisplayName, ResourceDisplayName, ClientAppUsed, IsThroughGlobalSecureAccess, InitiatingProcessName, IPAddress, Location, AutonomousSystemNumber
// Optional: Filtering for specific SessionId
//| where SessionId == @"<SessionId>"
| sort by CreatedDateTime ascExplanation
This query is designed to analyze and correlate sign-in events with details about token protection status and network access traffic, specifically focusing on Global Secure Access (GSA). Here's a simplified breakdown of what the query does:
-
Data Sources: It combines data from two sources:
SigninLogsandAADNonInteractiveUserSignInLogs. These logs contain information about user sign-ins. -
Optional Filters: There are optional filters to narrow down the data to specific users, time frames, and successful sign-ins only.
-
Home Tenant Filtering: It filters the data to include only sign-ins to the user's home tenant.
-
Device Details Expansion: The query extracts and standardizes device details, such as
DeviceIdandDeviceName, from the sign-in logs. -
Token Protection Status: It expands details about the token protection status, specifically looking at the
SignInSessionStatus. -
Correlation with Network Access Traffic: The query attempts to correlate sign-in events with network access traffic logs from Global Secure Access by matching on several fields, including
UserId,DeviceId,UniqueTokenIdentifier, andIPAddress. -
Global Secure Access Indicator: It adds a flag (
IsThroughGlobalSecureAccess) to indicate whether the sign-in event involved Global Secure Access, based on the presence of aTransactionId. -
Result Summarization: The query projects a simplified view of the results, showing key details such as the time of creation, session ID, token type, sign-in session status, application names, and network details.
-
Sorting: Finally, it sorts the results by the creation date and time in ascending order.
This query is useful for security analysts looking to understand the relationship between sign-in events and network access, especially in environments using token protection and Global Secure Access.
Details
Thomas Naunheim
Released: March 5, 2025
Tables
Keywords
Operators