KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Guest Type Parser

Query

//Adds logic to your SigninLogs to determine whether guest authentications are inbound (guests accessing your tenant) or outbound (your users accessing other tenants)

//Data connector required for this query - Azure Active Directory - Sign in Logs

SigninLogs
| where TimeGenerated > ago (1d)
| where UserType == "Guest"
| project TimeGenerated, UserPrincipalName, AppDisplayName, ResultType, IPAddress, HomeTenantId, ResourceTenantId, AADTenantId
| extend ['Guest Type']=case(AADTenantId != HomeTenantId and HomeTenantId != ResourceTenantId, strcat("Inbound Guest"),
                             AADTenantId == HomeTenantId and ResourceTenantId != AADTenantId, strcat("Outbound Guest"),
"unknown")

Explanation

This query analyzes the SigninLogs data from Azure Active Directory to determine whether guest authentications are inbound (guests accessing your tenant) or outbound (your users accessing other tenants). It filters the data for the past 1 day and only includes entries where the UserType is "Guest". The query then projects specific columns such as TimeGenerated, UserPrincipalName, AppDisplayName, ResultType, IPAddress, HomeTenantId, ResourceTenantId, and AADTenantId. It also adds a new column called "Guest Type" which categorizes the guest authentication as either "Inbound Guest", "Outbound Guest", or "unknown" based on the values of AADTenantId, HomeTenantId, and ResourceTenantId.

Details

Matt Zorich profile picture

Matt Zorich

Released: November 11, 2022

Tables

SigninLogs

Keywords

SigninLogs,TimeGenerated,UserPrincipalName,AppDisplayName,ResultType,IPAddress,HomeTenantId,ResourceTenantId,AADTenantId,GuestType,InboundGuest,OutboundGuest

Operators

whereago==projectextendcase!=andstrcat

Actions