Entra ID Suspicious Activity Reported
Query
AuditLogs
| where OperationName == "Suspicious activity reported"
| extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)About this query
Entra ID - Suspicious activity reported
Query Information
Description
This KQL query identifies events where users report MFA prompts as suspicious, triggering a "High User Risk" classification within Microsoft Entra ID Protection. It provides visibility into potential fraud attempts.
References
Microsoft Sentinel
Explanation
This KQL query is designed to identify instances where users have reported suspicious multi-factor authentication (MFA) prompts within Microsoft Entra ID (formerly Azure AD). When a user reports such an event, it is flagged as "High User Risk," indicating a potential fraud attempt. The query specifically looks for audit log entries with the operation name "Suspicious activity reported" and extracts the user's principal name (essentially their username or email) who initiated the report. This helps organizations monitor and respond to possible security threats related to unauthorized access attempts.
Details

Alex Verboon
Released: January 22, 2025
Tables
Keywords
Operators