KQL Search

Query Details

HomeAI ToolsDevice Query

Entra Cross Tenant Activity Monitoring

Query

// Entra Cross-Tenant Activity Monitoring

// The AADSpnSignInEventsBeta table is currently in beta and available for a limited time, enabling you to explore Microsoft Entra sign-in events. To collect and view activities in this table, a Microsoft Entra ID P2 license is required. This table, part of the advanced hunting schema, contains details about sign-ins by Microsoft Entra service principals and managed identities. Below is a custom KQL detection for DefenderXDR to monitor cross-tenant activity, which can help detect potential OAUTH app compromises. (E.g Midnight Blizzard Case)

// Entra Cross-Tenant Activity (Potential App Compromise)
// Please set your Entra Home Tenant ID

let EntraHomeTenantID = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
AADSpnSignInEventsBeta
| where Timestamp > ago (1h)
| where ResourceTenantId != EntraHomeTenantID
| project Timestamp, ReportId, Application, ApplicationId, ServicePrincipalName, ServicePrincipalId, ResourceTenantId, IPAddress, Country

// After you obtained the target tenant ID
// Use Microsoft Graph to gather more info on the tenant ID
// https://learn.microsoft.com/en-us/graph/api/tenantrelationship-findtenantinformationbytenantid?view=graph-rest-1.0&tabs=http

Explanation

This query is designed to monitor cross-tenant activity in Microsoft Entra, specifically looking for potential compromises of OAUTH applications. Here’s a simplified breakdown:

  1. Purpose: The query aims to detect suspicious sign-in events by service principals and managed identities across different tenants, which could indicate a compromised application.

  2. Data Source: It uses the AADSpnSignInEventsBeta table, which is in beta and requires a Microsoft Entra ID P2 license.

  3. Filter Criteria:

    • It looks at sign-in events from the past hour (Timestamp > ago(1h)).
    • It filters out events from the home tenant by comparing the ResourceTenantId with the specified home tenant ID (ResourceTenantId != EntraHomeTenantID).

  4. Output: The query projects (selects) specific columns to display: Timestamp, ReportId, Application, ApplicationId, ServicePrincipalName, ServicePrincipalId, ResourceTenantId, IPAddress, and Country.

  5. Next Steps: After identifying the target tenant ID from the results, you can use Microsoft Graph API to gather more information about the tenant.

In essence, this query helps in identifying and investigating unusual cross-tenant sign-in activities that could signify a security threat.

Details

Steven Lim profile picture

Steven Lim

Released: September 28, 2024

Tables

AADSpnSignInEventsBeta

Keywords

EntraDevicesIntuneUserSignInEventsActivityMonitoringLicenseSchemaDetailsServicePrincipalsManagedIdentitiesDetectionDefenderXDROAUTHAppCompromisesTimestampReportIdApplicationApplicationIdServicePrincipalNameServicePrincipalIdResourceTenantIdIPAddressCountryMicrosoftGraphTenantInformation

Operators

let|>ago!=project

Actions