Query Details

Entra ID Suspicious Activity Reported

Query

AuditLogs
| where OperationName == "Suspicious activity reported"
| extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)

About this query

Entra ID - Suspicious activity reported

Query Information

Description

This KQL query identifies events where users report MFA prompts as suspicious, triggering a "High User Risk" classification within Microsoft Entra ID Protection. It provides visibility into potential fraud attempts.

References

Microsoft Sentinel

Explanation

This KQL query is designed to identify instances where users have reported suspicious multi-factor authentication (MFA) prompts within Microsoft Entra ID (formerly Azure AD). When a user reports such an event, it is flagged as "High User Risk," indicating a potential fraud attempt. The query specifically looks for audit log entries with the operation name "Suspicious activity reported" and extracts the user's principal name (essentially their username or email) who initiated the report. This helps organizations monitor and respond to possible security threats related to unauthorized access attempts.

Details

Alex Verboon profile picture

Alex Verboon

Released: January 22, 2025

Tables

AuditLogs

Keywords

AuditLogsUserActivityMicrosoftEntraIDProtection

Operators

|where==extendtostring()parse_json()

Actions

GitHub