KQL Search

Query Details

HomeAI ToolsDevice Query

FIDO AAGUID Passkey Explorer

Query

//This query looks up AAGUIDs with their device manufacturer using Passkey Explorer
//Can be joined with audit logs to track passkey additions
let PasskeyExplorer = externaldata(Guid: dynamic )[@"https://raw.githubusercontent.com/passkeydeveloper/passkey-authenticator-aaguids/main/combined_aaguid.json"] with (format="txt", ignoreFirstRecord=false)
| mv-expand kind=array Guid
| extend AAGUID = tostring(Guid[0])
| extend KeyName = Guid[1].name
| project-away Guid;
PasskeyExplorer
//Example usage, join to audit logs
//AuditLogs
//| where ActivityDisplayName contains "Add Passkey"
//| where Result == "success"
//| extend AccountUPN = TargetResources[0].userPrincipalName
//| extend AAGUID = tostring(AdditionalDetails[1].value)
//| extend WebAuthnInfo = AdditionalDetails[0].value
//| join kind=leftouter PasskeyExplorer on AAGUID
//| project TimeGenerated, AccountUPN, ActivityDisplayName, AAGUID, WebAuthnInfo, KeyName

Explanation

This query is designed to retrieve and display information about AAGUIDs (Authenticator Attestation GUIDs) and their corresponding device manufacturers using data from the Passkey Explorer. Here's a simple breakdown of what the query does:

  1. Data Retrieval: It pulls data from an external JSON file hosted on GitHub, which contains information about AAGUIDs and their associated device manufacturers.

  2. Data Processing:

    • The data is expanded to handle arrays, extracting each AAGUID and its associated information.
    • It converts the AAGUID to a string format and extracts the device manufacturer's name.

  3. Data Preparation: The query prepares a table (PasskeyExplorer) with columns for AAGUID and the device manufacturer's name, removing any unnecessary columns.

  4. Example Usage:

    • The query includes a commented-out example of how you might join this AAGUID data with audit logs.
    • It filters audit logs to find successful passkey additions.
    • It extracts relevant details like the user's principal name and WebAuthn information.
    • It performs a left outer join with the PasskeyExplorer data on the AAGUID to combine the information.
    • Finally, it selects specific columns to display, such as the time of the event, user information, activity name, AAGUID, WebAuthn details, and the device manufacturer's name.

In summary, this query helps in associating AAGUIDs with their manufacturers and can be used to track passkey-related activities by joining with audit logs.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 10, 2024

Tables

PasskeyExplorer

Keywords

PasskeyExplorerAuditLogsDevices

Operators

externaldatawithmv-expandkind=arrayextendtostringproject-awayjoinkind=leftouterproject

Actions