KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Alert Guest Denied Accessto Multiple Apps

Query

//Alert when Azure AD guest accounts are denied access (either by Conditional Access or because they aren't granted specific access) to multiple applications in a short time period
//This query uses 3 or more applications within an hour

//Data connector required for this query - Azure Active Directory - Signin Logs

//Microsoft Sentinel query
SigninLogs
| where TimeGenerated > ago (7d)
| where UserType == "Guest"
| where ResultType in ("53003", "50105")
| summarize
    ['Application Count']=dcount(AppDisplayName),
    ['Application List']=make_set(AppDisplayName)
    by UserPrincipalName, bin(TimeGenerated, 1h)
| where ['Application Count'] >= 3

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting with Azure AD P2 License

AADSignInEventsBeta
| where Timestamp > ago (7d)
| where IsGuestUser == 1
| where ErrorCode  in ("53003", "50105")
| summarize
    ['Application Count']=dcount(Application),
    ['Application List']=make_set(Application)
    by AccountUpn, bin(Timestamp, 1h)
| where ['Application Count'] >= 3

Explanation

This query is used to identify when Azure AD guest accounts are denied access to multiple applications in a short time period. It looks for guest accounts that have been denied access either due to Conditional Access policies or because they haven't been granted specific access.

The query uses either the Azure Active Directory - Signin Logs data connector or the Advanced Hunting with Azure AD P2 License data connector, depending on the version being used.

In the query, it filters the signin logs or signin events to only include data from the past 7 days and where the user type is "Guest". It then further filters the results to include only specific result types or error codes that indicate denied access.

The query then summarizes the data by grouping it by the user's principal name or account UPN and the time generated or timestamp, binned into 1-hour intervals. It calculates the count of unique applications accessed and creates a set of the application names.

Finally, it filters the results to only include cases where the count of unique applications accessed is 3 or more.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogsAADSignInEventsBeta

Keywords

AzureAD,ConditionalAccess,Guestaccounts,Applications,SigninLogs,UserType,ResultType,AppDisplayName,UserPrincipalName,TimeGenerated,ApplicationCount,ApplicationList,AADSignInEventsBeta,Timestamp,IsGuestUser,ErrorCode,AccountUpn

Operators

|where>ago==insummarizedcountmake_setbybin

Actions