Query Details
Entra ID Suspicious Activity Reported
Query
# Entra ID - Suspicious activity reported ## Query Information ### Description This KQL query identifies events where users report MFA prompts as suspicious, triggering a "High User Risk" classification within Microsoft Entra ID Protection. It provides visibility into potential fraud attempts. #### References - [Retirement - MFA Fraud Alert will be retired on March 1st 2025](https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#retirement---mfa-fraud-alert-will-be-retired-on-march-1st-2025) - [Report suspicious activity](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#report-suspicious-activity) ### Microsoft Sentinel ```kql AuditLogs | where OperationName == "Suspicious activity reported" | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) ```
Explanation
This KQL query is designed to identify instances where users have reported suspicious multi-factor authentication (MFA) prompts within Microsoft Entra ID (formerly Azure AD). When a user reports such an event, it is flagged as "High User Risk," indicating a potential fraud attempt. The query specifically looks for audit log entries with the operation name "Suspicious activity reported" and extracts the user's principal name (essentially their username or email) who initiated the report. This helps organizations monitor and respond to possible security threats related to unauthorized access attempts.
Details
Alex Verboon
Released: January 22, 2025
Tables
AuditLogs
Keywords
AuditLogsUserActivityMicrosoftEntraIDProtection
Operators
|where==extendtostring()parse_json()tostring()