Query Details
Graph Runner Recon Detection Response
Query
// GraphRunner Recon Detection & Response // https://www.linkedin.com/posts/activity-7186279751127334912-zjwN/ // We create a Sentinel NRT rule to detect the "Get-GraphTokens" and perform an automation rule of revoking the token. 🔥 SigninLogs | where AuthenticationProtocol == "deviceCode" | where ResourceDisplayName == "Microsoft Graph" | extend DeviceName = tostring(DeviceDetail.displayName) | extend TrustType = tostring(DeviceDetail.trustType) | where TrustType != "Hybrid Azure AD joined" and TrustType != "Azure AD joined"
Explanation
This query is designed to detect suspicious sign-in activities related to Microsoft Graph using the "deviceCode" authentication protocol. Here's a simple summary:
- Source Data: The query looks at sign-in logs (
SigninLogs). - Filter by Authentication Protocol: It filters the logs to only include entries where the authentication protocol used is "deviceCode".
- Filter by Resource: It further narrows down the logs to those where the resource accessed is "Microsoft Graph".
- Extract Device Information: It extracts and converts the device name and trust type from the sign-in logs.
- Exclude Certain Devices: Finally, it excludes entries where the device is either "Hybrid Azure AD joined" or "Azure AD joined".
The purpose of this query is to identify potentially unauthorized or suspicious access to Microsoft Graph using device code authentication from devices that are not joined to Azure AD or Hybrid Azure AD.
Details
Steven Lim
Released: August 5, 2024
Tables
SigninLogs
Keywords
SigninLogsDeviceNameTrustTypeAuthenticationProtocolResourceDisplayNameDeviceDetail
Operators
|whereextendtostring