KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Appswithmost SFA Priv Users

Query

//Find the applications that have the most privileged users accessing them using only single factor authentication

//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Microsoft Sentinel UEBA

let privusers=
    IdentityInfo
    | where TimeGenerated > ago(21d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where isnotempty(AssignedRoles)
    | where AssignedRoles != "[]"
    | distinct AccountUPN;
SigninLogs
| where TimeGenerated > ago(30d)
| where UserPrincipalName in (privusers)
| where ResultType == 0
| where AuthenticationRequirement == "singleFactorAuthentication"
| summarize
    ['List of Users']=make_set(UserPrincipalName),
    ['Count of Users']=dcount(UserPrincipalName)
    by AppDisplayName
| sort by ['Count of Users'] desc

Explanation

This query is looking for applications that are accessed by privileged users using only single factor authentication. It uses data from Azure Active Directory - Signin Logs and Microsoft Sentinel UEBA.

First, it identifies the privileged users by finding the most recent activity for each user and filtering out those without assigned roles. Then, it retrieves the sign-in logs for the past 30 days and filters for the privileged users who used single factor authentication.

Finally, it summarizes the results by the application display name, providing a list of users and the count of users for each application. The results are sorted in descending order based on the count of users.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoSigninLogs

Keywords

Applications,PrivilegedUsers,SingleFactorAuthentication,DataConnector,AzureActiveDirectory,SigninLogs,MicrosoftSentinelUEBA

Operators

wheresummarizearg_maxbyisnotempty!=distinctin==make_setdcountsort bydesc

Actions