Identity First Time Legacy Auth

//Find users that have connected successfully via legacy auth for the first time //First find users with existing successful legacy auth connections //Data connector required for this query - Azure Active Directory - Signin Logs //Microsoft Sentinel query let knownusers= SigninLogs | where TimeGenerated > ago(90d) and TimeGenerated < ago(1d) | where ResultType == 0 | where ClientAppUsed !in ("Mobile Apps and Desktop clients", "Browser") | distinct UserPrincipalName; //Find any new connections in the last day from users not in the existing list SigninLogs | where TimeGenerated > ago(1d) | where ResultType == 0 | where ClientAppUsed !in ("Mobile Apps and Desktop clients", "Browser") | where isnotempty(ClientAppUsed) | where UserPrincipalName !in (knownusers) | distinct UserPrincipalName, AppDisplayName, ClientAppUsed, IPAddress //Advanced Hunting query //Data connector required for this query - Advanced Hunting with Azure AD P2 License //First find users with existing successful legacy auth connections. Advanced Hunting only stores 30 days of data, but otherwise the same query works let knownusers= AADSignInEventsBeta | where Timestamp > ago(30d) and Timestamp < ago(1d) | where LogonType == @"[""interactiveUser""]" | where ErrorCode == 0 | where ClientAppUsed !in ("Mobile Apps and Desktop clients", "Browser") | where isnotempty(ClientAppUsed) | distinct AccountUpn; //Find any new connections in the last day from users not in the existing list AADSignInEventsBeta | where Timestamp > ago(1d) | where LogonType == @"[""interactiveUser""]" | where ErrorCode == 0 | where ClientAppUsed !in ("Mobile Apps and Desktop clients", "Browser") | where isnotempty(ClientAppUsed) | where AccountUpn !in (knownusers) | distinct AccountUpn, Application, ClientAppUsed, IPAddress

Explanation

The query is looking for users who have successfully connected via legacy authentication for the first time. It first identifies users with existing successful legacy authentication connections and then finds any new connections in the last day from users not in the existing list. The query filters out connections made through mobile apps, desktop clients, and browsers. The query also includes information such as the user's display name, the application used, and the IP address. The query can be run using either the Azure Active Directory - Signin Logs data connector or the Advanced Hunting with Azure AD P2 License data connector.

Details

Matt Zorich

Released: June 17, 2022

Tables

SigninLogsAADSignInEventsBeta

Keywords

Users,LegacyAuth,DataConnector,AzureActiveDirectory,SigninLogs,MicrosoftSentinel,Knownusers,TimeGenerated,ResultType,ClientAppUsed,MobileAppsandDesktopclients,Browser,UserPrincipalName,AppDisplayName,IPAddress,AdvancedHunting,AzureADP2License,AADSignInEventsBeta,Timestamp,LogonType,ErrorCode,AccountUpn,Application

Operators

whereago==!indistinctisnotempty!in

KQL Search