KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Detecting First Time Accessto Azure Management

Query

//Detects users who have accessed Azure AD Management interfaces, such as Azure AD PowerShell or Graph Explorer, who have not accessed in the previous timeframe. 

//Data connector required for this query - Azure Active Directory - Signin Logs

//Add additional applications to include them in the same query, i.e Defender for Cloud Apps portal.
//Select a time frame to look back on, i.e find users logging on for the first time today not seen in the prior 60 days
let timeframe = startofday(ago(60d));
let applications = dynamic(["Azure Active Directory PowerShell", "Microsoft Azure PowerShell", "Graph Explorer", "ACOM Azure Website", "Azure Portal", "Azure Advanced Threat Protection"]);
SigninLogs
| where TimeGenerated > timeframe and TimeGenerated < startofday(now())
| where AppDisplayName in (applications)
| project UserPrincipalName, AppDisplayName
| join kind=rightanti
    (
    SigninLogs
    | where TimeGenerated > startofday(now())
    | where AppDisplayName in (applications)
    )
    on UserPrincipalName, AppDisplayName
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, ResultType, AppDisplayName, IPAddress, Location, UserAgent

Explanation

This query detects users who have accessed Azure AD Management interfaces, such as Azure AD PowerShell or Graph Explorer, but have not accessed them in the previous timeframe. It requires the Azure Active Directory - Signin Logs data connector. You can add additional applications to include them in the query, like the Defender for Cloud Apps portal. You can also select a specific time frame to look back on, for example, finding users who logged on for the first time today but were not seen in the prior 60 days. The query retrieves the UserPrincipalName and AppDisplayName for these users and then performs a right anti-join to find users who have not accessed the interfaces in the specified time frame. It filters the results to only include successful sign-ins (ResultType == 0) and projects the relevant fields such as TimeGenerated, UserPrincipalName, ResultType, AppDisplayName, IPAddress, Location, and UserAgent.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogs

Keywords

AzureADManagementInterfaces,AzureADPowerShell,GraphExplorer,SigninLogs,AzureActiveDirectory,DefenderforCloudAppsportal,TimeGenerated,UserPrincipalName,AppDisplayName,ResultType,IPAddress,Location,UserAgent

Operators

whereletdynamicstartofdayagoselectinprojectjoinkindon

Actions