Query Details
Exploring M365 Accounts Investigation
Query
// Exploring M365 Accounts Investigation // https://www.linkedin.com/posts/0x534c_cybersecurity-m365investigation-kql-activity-7300859391950344192-xedq/ let UserSSPR = AuditLogs | where TimeGenerated > ago(90d) | where OperationName has "Self-service password reset" | distinct tostring(TargetResources[0].userPrincipalName); let UserEPNonManaged = SigninLogs | where TimeGenerated > ago(90d) | where UserPrincipalName has_any(UserSSPR) | extend DeviceName = tostring(DeviceDetail.displayName) | extend TrustType = tostring(DeviceDetail.trustType) | extend OS = tostring(DeviceDetail.operatingSystem) | where OS !has "ios" and OS !has "android" | where TrustType !has "AD" | distinct UserPrincipalName; CloudAppEvents | where TimeGenerated > ago(90d) | where IPCategory has "VPN" or IPTags has "Anonymous proxy" | where tostring(RawEventData.UserId) has_any(UserEPNonManaged) | summarize Count=count() by ActionType, UserAgent, tostring(RawEventData.UserId) | sort by Count desc
Explanation
This query is designed to investigate Microsoft 365 accounts with a focus on identifying potentially suspicious activities related to self-service password resets and non-managed devices. Here's a simplified breakdown:
-
Identify Users with Password Resets:
- The query first looks at audit logs from the past 90 days to find users who have performed a self-service password reset. It collects these users' principal names into a list called
UserSSPR.
- The query first looks at audit logs from the past 90 days to find users who have performed a self-service password reset. It collects these users' principal names into a list called
-
Find Non-Managed Device Sign-ins:
- It then examines sign-in logs from the same 90-day period to find instances where these users (
UserSSPR) signed in from devices that are not managed by the organization (i.e., devices that are not iOS, Android, or trusted by Active Directory). These users are collected into a list calledUserEPNonManaged.
- It then examines sign-in logs from the same 90-day period to find instances where these users (
-
Analyze Cloud App Events for VPN or Proxy Usage:
- Finally, the query checks cloud application events from the past 90 days to see if any of the users from
UserEPNonManagedhave accessed services through a VPN or an anonymous proxy. It summarizes the number of such events by action type, user agent, and user ID, and sorts the results by the count of occurrences in descending order.
- Finally, the query checks cloud application events from the past 90 days to see if any of the users from
In essence, this query helps identify users who have reset their passwords and then accessed Microsoft 365 services from potentially untrusted devices, especially through VPNs or proxies, which could indicate suspicious activity.
Details
Steven Lim
Released: February 27, 2025
Tables
AuditLogsSigninLogsCloudAppEvents
Keywords
AuditLogsSigninLogsCloudAppEventsTimeGeneratedOperationNameTargetResourcesUserPrincipalNameDeviceNameTrustTypeOSIPCategoryIPTagsRawEventDataActionTypeUserAgent
Operators
let|where>ago()hasdistincttostring()extend!hasorsummarizecount()bysortdesc