KQL Search

Query Details

HomeAI ToolsDevice Query

Identity MFA Changesfromunknown IP

Query

//Detect when MFA details for a user are changed, deleted or registered from an IP address that user has never signed in successfully from

//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Azure Active Directory - Audit Logs

//Cache all successful sign in data for users using materialize operator
let signindata=materialize (
    SigninLogs
    | where TimeGenerated > ago(180d)
    | where ResultType == 0
    | distinct UserPrincipalName, UserId, IPAddress);
//Search for audit events showing MFA registrations, deletions or changes in the last day
AuditLogs
| where TimeGenerated > ago(10d)
| where OperationName in ("User registered security info", "User deleted security info", "User registered all required security info")
| where Result == "success"
| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend UserId = tostring(TargetResources[0].id)
| project UserPrincipalName, UserId, IPAddress, OperationName
//Join those events back to our summarized sign in data looking for users who register MFA from an IP they have never signed in from
| where isnotempty(IPAddress)
| join kind=leftanti (signindata) on IPAddress, UserId
| distinct UserPrincipalName, IPAddress, OperationName

Explanation

This query is looking for instances where a user's MFA details are changed, deleted, or registered from an IP address that the user has never successfully signed in from.

To do this, the query first caches all successful sign-in data for users using the materialize operator.

Then, it searches for audit events in the last 10 days that show MFA registrations, deletions, or changes. It filters for events with a "success" result and extracts the IP address, user principal name, user ID, and operation name from the audit logs.

Next, it joins these events with the summarized sign-in data, looking for users who register MFA from an IP they have never signed in from successfully.

Finally, it returns the user principal name, IP address, and operation name for these instances.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogsAuditLogs

Keywords

MFA,User,IPAddress,SigninLogs,AuditLogs,Userregisteredsecurityinfo,Userdeletedsecurityinfo,Userregisteredallrequiredsecurityinfo,Success,InitiatedBy.user,TargetResources[0].id,OperationName

Operators

materializewhereagodistinctextendtostringparse_jsonprojectjoinkindleftantiisnotempty

Actions