KQL Search

This query is designed to detect potentially compromised Entra user accounts by identifying successful logins from command and control (C2) IP addresses. Here's a simple breakdown of what the query does:

1. Data Source: It uses data from the BehaviorAnalytics table, which contains information about user activities and potential threats.

2. Time Frame: The query looks at data from the past hour (TimeGenerated > ago(1h)).

3. Threat Detection: It filters for activities where the ThreatIntelIndicatorType is "C2", indicating that the login attempt came from a command and control server, which is often associated with malicious activity.

4. Action Type: It specifically looks for "Sign-in" actions, meaning it is focused on login attempts.

5. Source Device: It checks for logins where the SourceDevice information is missing (isempty(SourceDevice)), which could indicate an unidentified or suspicious device.

6. Uncommon Location: It further filters for logins from countries that are not commonly connected from among the user's peers (CountryUncommonlyConnectedFromAmongPeers == "True"), suggesting unusual or suspicious login locations.

7. Response: The query suggests linking this detection to a logic app playbook to automatically mark the account as compromised, allowing for a quick response to potential threats.

8. MITRE ATT&CK Reference: The query is associated with the MITRE ATT&CK technique T1078.003, which involves the use of valid cloud accounts for unauthorized access.

In summary, this query is designed to identify and respond to potentially compromised user accounts by detecting unusual and suspicious login activities from known threat sources.