KQL Search

Query Details

HomeAI ToolsDevice Query

Identity AAD Risk Event Correlation

Query

//This query will hunt for real time risk events flagged as medium or high that aren't confirmed safe by Microsoft and then enrich that data with information from the IdentityInfo table

//Data connector required for this query - Azure Active Directory - AAD User Risk Events
//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Microsoft Sentinel UEBA

let id=
    IdentityInfo
    | summarize arg_max(TimeGenerated, *) by AccountUPN;
let signin=
    SigninLogs
    | where TimeGenerated > ago (14d)
    | where RiskLevelDuringSignIn in ('high', 'medium')
    | join kind=inner id on $left.UserPrincipalName == $right.AccountUPN
    | extend SigninTime = TimeGenerated
    | where RiskEventTypes_V2 != "[]";
AADUserRiskEvents
| where TimeGenerated > ago (14d)
| extend RiskTime = TimeGenerated
| where DetectionTimingType == "realtime"
| where RiskDetail !has "aiConfirmedSigninSafe"
| join kind=inner signin on CorrelationId
| extend TimeDelta = abs(SigninTime - RiskTime)
| project
    SigninTime,
    UserPrincipalName,
    RiskTime,
    TimeDelta,
    RiskEventTypes,
    RiskLevelDuringSignIn,
    City,
    Country,
    EmployeeId,
    AssignedRoles

Explanation

This query looks for real-time risk events that are flagged as medium or high and have not been confirmed safe by Microsoft. It then enriches the data with information from the IdentityInfo table. The query requires data connectors for Azure Active Directory (AAD) User Risk Events, AAD Signin Logs, and Microsoft Sentinel UEBA.

The query first retrieves the latest identity information for each user. It then retrieves signin logs from the past 14 days and filters for high or medium risk levels. It joins this data with the identity information based on the user principal name.

Next, it retrieves AAD user risk events from the past 14 days and filters for real-time detection timing type. It excludes events that have been confirmed safe by Microsoft. It joins this data with the signin logs based on the correlation ID.

The query calculates the time difference between the signin time and the risk event time. Finally, it projects various fields including signin time, user principal name, risk event time, time difference, risk event types, risk level during signin, city, country, employee ID, and assigned roles.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoSigninLogsAADUserRiskEvents

Keywords

Devices,Intune,User

Operators

summarizearg_maxbywhere>agoinjoinkind=inneron$left$rightextend!=hasproject

Actions