Identity First Time SP Blockedby CA

//Detect the first time a service principal fails Conditional Access //Data connector required for this query - Azure Active Directory - Service Principal Signin Logs //Microsoft Sentinel query //First find service principals that have previously failed let knownfailures= AADServicePrincipalSignInLogs | where TimeGenerated > ago(30d) and TimeGenerated < ago (1d) | where ResultType == "53003" | distinct AppId; //Find any new failures in the last day AADServicePrincipalSignInLogs | where TimeGenerated > ago(1d) | where ResultType == "53003" | where AppId !in (knownfailures) | project TimeGenerated, ServicePrincipalName, ServicePrincipalId, AppId, ConditionalAccessPolicies, IPAddress //Detect the first time a service principal fails Conditional Access //Data connector required for this query - Advanced Hunting with Azure AD P2 License //Advanced Hunting query let knownfailures= AADSpnSignInEventsBeta | where Timestamp > ago(30d) and Timestamp < ago (1d) | where ErrorCode == "53003" | distinct ApplicationId; AADSpnSignInEventsBeta | where Timestamp > ago(1d) | where ErrorCode == "53003" | where ApplicationId !in (knownfailures) | project Timestamp, ServicePrincipalName, ServicePrincipalId, ApplicationId, IPAddress

Explanation

This query is used to detect the first time a service principal fails Conditional Access. It checks for failures in the Azure Active Directory (AAD) service principal sign-in logs or the AADSpnSignInEventsBeta logs, depending on the data connector used.

First, it identifies service principals that have previously failed by filtering the logs for a specific result type ("53003") within a specified time range (30 days ago to 1 day ago). It then selects distinct AppIds associated with these failures.

Next, it looks for any new failures in the last day by filtering the logs for the same result type and a more recent time range (within the last day). It excludes any AppIds that were identified as known failures in the previous step. The query then projects specific fields such as the time generated, service principal name, ID, AppId, conditional access policies, and IP address for further analysis.

Details

Matt Zorich

Released: June 17, 2022

Tables

AADServicePrincipalSignInLogsAADSpnSignInEventsBeta

Keywords

Keywords:Detect,ServicePrincipal,ConditionalAccess,Dataconnector,AzureActiveDirectory,ServicePrincipalSigninLogs,MicrosoftSentinel,knownfailures,AADServicePrincipalSignInLogs,TimeGenerated,ResultType,AppId,distinct,ago,project,ServicePrincipalName,ServicePrincipalId,ConditionalAccessPolicies,IPAddress,AdvancedHunting,AzureADP2License,AADSpnSignInEventsBeta,Timestamp,ErrorCode,ApplicationId

Operators

whereTimeGeneratedagodistinctAppIdResultTypeinprojectServicePrincipalNameServicePrincipalIdConditionalAccessPoliciesIPAddressAADServicePrincipalSignInLogsAADSpnSignInEventsBetaTimestampErrorCodeApplicationId

KQL Search