Query Details
Entra Passkey Addition Threat Detection
Query
// Entra Passkey Addition Threat Detection // https://www.linkedin.com/posts/activity-7184406157707390977-6N3C/ //Entra Passkey Addition Threat Detection KQL: AuditLogs | where ActivityDisplayName == "Add Passkey (device-bound) security key" | where Result == "success" | extend AccountUPN = TargetResources[0].userPrincipalName | extend AAGUID = AdditionalDetails[1].value | extend WebAuthnInfo = AdditionalDetails[0].value | project TimeGenerated, AccountUPN, ActivityDisplayName, AAGUID, WebAuthnInfo
Explanation
This KQL (Kusto Query Language) query is designed to detect successful additions of device-bound passkeys (security keys) in the Entra system. Here's a simple summary of what the query does:
- Source Table: It looks at the
AuditLogstable. - Filter by Activity: It filters the logs to find entries where the activity is "Add Passkey (device-bound) security key".
- Filter by Result: It further filters these entries to only include those where the result was "success".
- Extract Information: It extracts additional details from these logs:
AccountUPN: The user principal name (UPN) of the account associated with the activity.AAGUID: A unique identifier for the security key.WebAuthnInfo: Additional Web Authentication information.
- Select Columns: It selects and displays the following columns in the result:
TimeGenerated: The time the log entry was generated.AccountUPN: The user principal name.ActivityDisplayName: The name of the activity.AAGUID: The unique identifier for the security key.WebAuthnInfo: Additional Web Authentication information.
In essence, this query helps identify when and by whom a device-bound passkey was successfully added, along with some specific details about the security key and the authentication process.
Details
Steven Lim
Released: August 2, 2024
Tables
AuditLogs
Keywords
AuditLogsActivityDisplayNameResultAccountUPNTargetResourcesUserPrincipalNameAAGUIDAdditionalDetailsValueTimeGenerated
Operators
==|extendproject