KQL Search

Query Details

HomeAI ToolsDevice Query

Entra Smart Lockout Tampering

Query

AuditLogs
| where OperationName == "Update company settings"
| where Category == "DirectoryManagement"
| extend User = tostring(parse_json(tostring(parse_json(InitiatedBy).user)).userPrincipalName)
| extend NewLockoutPolicy = toint(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0].Settings))[0].Properties))[4].Value)
| extend OldLockoutPolicy  =toint(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].oldValue))[0].Settings))[0].Properties))[4].Value)
| extend NewLockoutDuration =toint(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0].Settings))[0].Properties))[3].Value)
| extend OldLockoutDuration =toint(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].oldValue))[0].Settings))[0].Properties))[4].Value)
| where NewLockoutPolicy > 10 or NewLockoutDuration < 60
| where OldLockoutDuration != NewLockoutDuration and NewLockoutPolicy != OldLockoutPolicy
| summarize by NewLockoutPolicy, OldLockoutPolicy,NewLockoutDuration,OldLockoutDuration, User

Explanation

This KQL query is analyzing audit logs to identify changes in company settings related to account lockout policies. Here's a simplified breakdown of what the query does:

  1. Filter Logs: It starts by filtering audit logs to only include entries where the operation was "Update company settings" and the category is "DirectoryManagement".

  2. Extract User Information: It extracts the user principal name of the person who initiated the changes.

  3. Extract Policy Details: It retrieves the new and old values for two specific settings:

    • Lockout Policy: The number of failed login attempts before an account is locked.
    • Lockout Duration: The time period an account remains locked after exceeding the failed login attempts.

  4. Apply Conditions: It further filters the logs to include only those entries where:

    • The new lockout policy is greater than 10 attempts, or the new lockout duration is less than 60 minutes.
    • There is a change in both the lockout policy and lockout duration values.

  5. Summarize Results: Finally, it summarizes the results by grouping them based on the new and old values of the lockout policy and duration, along with the user who made the changes.

In essence, the query is identifying and summarizing changes to account lockout settings that meet specific criteria, highlighting potential security adjustments made by users.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 11, 2024

Tables

AuditLogs

Keywords

AuditLogsDirectoryManagementUserTargetResourcesSettingsProperties

Operators

AuditLogs|where==extend=tostring()parse_json()toint()>or<!=summarizeby

Actions