KQL Search

Query Details

HomeAI ToolsDevice Query

Identity High Medium Realtime Riskfor AAD Roles

Query

//Query to find high or medium real time risk events for users who have an assigned Azure AD role

//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Azure Active Directory - AAD User Risk Events
//Data connector required for this query - Microsoft Sentinel UEBA

let id=
    IdentityInfo
    | summarize arg_max(TimeGenerated, *) by AccountUPN;
let signin=
    SigninLogs
    | where TimeGenerated > ago (14d)
    | where RiskLevelDuringSignIn in ('high', 'medium')
    | join kind=inner id on $left.UserPrincipalName == $right.AccountUPN
    | extend SigninTime = TimeGenerated
    | where RiskEventTypes_V2 != "[]";
AADUserRiskEvents
| where TimeGenerated > ago (14d)
| extend RiskTime = TimeGenerated
| where DetectionTimingType == "realtime"
| where RiskDetail !has "aiConfirmedSigninSafe"
| join kind=inner signin on CorrelationId
| where AssignedRoles != "[]"
| extend TimeDelta = abs(SigninTime - RiskTime)
| project
    SigninTime,
    UserPrincipalName,
    RiskTime,
    TimeDelta,
    RiskEventTypes,
    RiskLevelDuringSignIn,
    City,
    Country,
    EmployeeId,
    AssignedRoles

Explanation

This query is used to find high or medium real-time risk events for users who have an assigned Azure AD role. It requires data connectors for Azure Active Directory - Signin Logs, Azure Active Directory - AAD User Risk Events, and Microsoft Sentinel UEBA.

The query first retrieves the latest identity information for each user. Then, it filters signin logs for the past 14 days and selects only high or medium risk level events. It joins this data with the identity information based on the user principal name. It also filters out events with empty risk event types.

Next, it retrieves AAD user risk events for the past 14 days and selects only real-time detection timing type events. It excludes risk events that are confirmed safe by AI. It joins this data with the previous signin data based on the correlation ID.

The query then filters out events where no roles are assigned to the user. It calculates the time difference between the signin time and risk time. Finally, it projects several fields including signin time, user principal name, risk time, time delta, risk event types, risk level during signin, city, country, employee ID, and assigned roles.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoSigninLogsAADUserRiskEvents

Keywords

Devices,Intune,User,AzureAD,RiskEvents,SigninLogs,AADUserRiskEvents,MicrosoftSentinelUEBA,AccountUPN,SigninLogs,RiskLevelDuringSignIn,UserPrincipalName,TimeGenerated,RiskEventTypes_V2,AADUserRiskEvents,DetectionTimingType,RiskDetail,CorrelationId,AssignedRoles,TimeDelta,SigninTime,RiskTime,RiskEventTypes,City,Country,EmployeeId

Operators

letIdentityInfosummarizearg_maxbyAccountUPNSigninLogswhereTimeGeneratedagoRiskLevelDuringSignIninjoinkind=inneron$left.UserPrincipalName$right.AccountUPNextendSigninTimeTimeGeneratedRiskEventTypes_V2!=AADUserRiskEventsDetectionTimingTypeRiskDetail!hasjoinCorrelationIdAssignedRolesextendTimeDeltaabsprojectSigninTimeUserPrincipalNameRiskTimeTimeDeltaRiskEventTypesRiskLevelDuringSignInCityCountryEmployeeIdAssignedRoles

Actions