Query Details
Identity Anomalous Conditional Access Failures
Query
//Detect anomalies in the amount of conditional access failures by users in your tenant, then visualize those conditional access failures //Data connector required for this query - Azure Active Directory - Signin Logs //Starttime and endtime = which period of data to look at, i.e from 21 days ago until today. let startdate=21d; let enddate=1d; //Timeframe = time period to break the data up into, i.e 1 hour blocks. let timeframe=1h; //Sensitivity = the lower the number the more sensitive the anomaly detection is, i.e it will find more anomalies, default is 1.5 let sensitivity=2; //Threshold = set this to tune out low count anomalies, i.e when total failures for a user doubles from 1 to 2 let threshold=5; let outlierusers= SigninLogs | where TimeGenerated between (startofday(ago(startdate))..startofday(ago(enddate))) | where ResultType == "53003" | project TimeGenerated, ResultType, UserPrincipalName | make-series CAFailureCount=count() on TimeGenerated from startofday(ago(startdate)) to startofday(ago(enddate)) step timeframe by UserPrincipalName | extend outliers=series_decompose_anomalies(CAFailureCount, sensitivity) | mv-expand TimeGenerated, CAFailureCount, outliers | where outliers == 1 and CAFailureCount > threshold | distinct UserPrincipalName; //Optionally visualize the anomalies SigninLogs | where TimeGenerated between (startofday(ago(startdate))..startofday(ago(enddate))) | where ResultType == "53003" | project TimeGenerated, ResultType, UserPrincipalName | where UserPrincipalName in (outlierusers) | summarize CAFailures=count()by UserPrincipalName, bin(TimeGenerated, timeframe) | render timechart with (ytitle="Failure Count",title="Anomalous Conditional Access Failures")
Explanation
This query detects anomalies in the amount of conditional access failures by users in your tenant and visualizes those failures. It uses the Azure Active Directory - Signin Logs data connector. The query looks at a specific period of data, starting from 21 days ago until today. The data is broken up into 1-hour blocks. The sensitivity parameter determines how sensitive the anomaly detection is, with a lower number indicating more sensitivity. The threshold parameter filters out low count anomalies. The query identifies outlier users with a higher number of failures and then visualizes those anomalies in a timechart.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
Devices,Intune,User,AzureActiveDirectory,SigninLogs,TimeGenerated,ResultType,UserPrincipalName,CAFailureCount,outliers,threshold,startdate,enddate,timeframe,sensitivity,startofday,ago,make-series,count,step,extend,mv-expand,distinct,where,in,summarize,bin,render
Operators
letstartdate=21denddate=1dtimeframe=1hsensitivity=2threshold=5outlierusers=SigninLogswhereTimeGeneratedbetweenstartofdayagostartdateenddateResultType=="53003"projectUserPrincipalNamemake-seriesCAFailureCountcount()onstepextendoutliers=series_decompose_anomaliesmv-expandwhereoutliers==1CAFailureCount>thresholddistinctUserPrincipalNameoptionallyvisualizesummarizeCAFailures=count()bybinrendertimechartwithytitle="Failure Count"title="Anomalous Conditional Access Failures"