Query Details
Entra Falcon Detection
Query
// https://blog.compass-security.com/2025/04/introducing-entrafalcon-a-tool-to-enumerate-entra-id-objects-and-assignments/ let QueryPeriod = 1h; let InteractiveSignin = SigninLogs | where TimeGenerated > ago(QueryPeriod) | where (AppId == "1b730954-1685-4b74-9bfd-dac224a7b894" and ResourceIdentity == "00000003-0000-0000-c000-000000000000") or (AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46" and ResourceIdentity == "00000003-0000-0000-c000-000000000000"); AADNonInteractiveUserSignInLogs | where TimeGenerated > ago(QueryPeriod) | where (AppId == "eb20f3e3-3dce-4d2c-b721-ebb8d4414067" and ResourceIdentity == "00000003-0000-0000-c000-000000000000") or (AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46" and ResourceIdentity == "797f4846-ba00-4fd7-ba43-dac1f8f63013") | union InteractiveSignin
Explanation
This query is designed to analyze sign-in logs from Azure Active Directory (AAD) within the last hour. It focuses on two types of sign-ins: interactive and non-interactive.
-
Interactive Sign-ins: The query filters the
SigninLogstable to find entries where theAppIdandResourceIdentitymatch specific values. These values correspond to known applications and resources within Azure. -
Non-Interactive Sign-ins: Similarly, it filters the
AADNonInteractiveUserSignInLogstable for entries with specificAppIdandResourceIdentityvalues. -
Combining Results: The results from both the interactive and non-interactive sign-ins are combined using the
unionoperator. This provides a comprehensive view of all relevant sign-in activities within the specified time frame.
In summary, the query retrieves and combines specific sign-in activities from Azure Active Directory logs over the past hour, focusing on certain applications and resources.
Details
Steven Lim
Released: May 19, 2025
Tables
Keywords
Operators