Query Details
High Risk User Signin Resource Group Creation
Query
//Users with have high risk sign-in activity that have created a resource group let riskyAzureSignIns = ( AADSignInEventsBeta | where Timestamp > ago(7d) | where ErrorCode == 0 | where Application == "Azure Portal" | where RiskLevelAggregated == 100 or RiskLevelDuringSignIn == 100 | project AccountObjectId, RiskySignInTimestamp = Timestamp); let resourceGroupCreation = ( CloudAppEvents | where Timestamp > ago(7d) | where Application == "Microsoft Azure" | where ActionType == "Write ResourceGroup" | project AccountObjectId, ResourceGroupCreation = Timestamp); //join the tables riskyAzureSignIns | join resourceGroupCreation on AccountObjectId | where ResourceGroupCreation between (RiskySignInTimestamp .. (RiskySignInTimestamp + 12h))
Explanation
This query is looking for users who have high-risk sign-in activity in the Azure Portal and have also created a resource group. It first filters the sign-in events to only include those with no error code, in the Azure Portal, and with a risk level of 100. It then filters the cloud app events to only include resource group creations in Microsoft Azure. Finally, it joins the two tables based on the user's account object ID and filters the results to only include resource group creations that occurred within 12 hours of the risky sign-in activity.
Details
Rod Trent
Released: August 24, 2022
Tables
AADSignInEventsBetaCloudAppEvents
Keywords
Users,highrisksign-inactivity,resourcegroup
Operators
wherelet|wherewherewherewherewhereprojectlet|wherewherewhereproject|joinonwherebetween..