KQL Search

Query Details

HomeAI ToolsDevice Query

Identity MFA New Locationand Method

Query

//Alert when a user successfully signs in from both a new location and using a new MFA method

//Data connector required for this query - Azure Active Directory - Signin Logs

//Cache all authentication methods and locations to memory using the materialize function for the last 6 months
let mfahistory = materialize  (
    SigninLogs
    | where TimeGenerated > ago (180d) and TimeGenerated < ago(1d)
    | where ResultType == 0
    | where AuthenticationRequirement == "multiFactorAuthentication"
    | extend AuthMethod = tostring(MfaDetail.authMethod)
    | where isnotempty(AuthMethod)
    | distinct UserPrincipalName, AuthMethod, Location);
//Find sign ins from the last day that have both a new location and MFA method
mfahistory
| join kind=rightanti  (
    SigninLogs
    | where TimeGenerated > ago (1d)
    | where ResultType == 0
    | where AuthenticationRequirement == "multiFactorAuthentication"
    | extend AuthMethod = tostring(MfaDetail.authMethod)
    | where isnotempty(AuthMethod)
    | distinct 
        UserPrincipalName,
        AuthMethod,
        AppDisplayName,
        Location,
        IPAddress)
    on UserPrincipalName, Location

Explanation

This query is used to alert when a user successfully signs in from both a new location and using a new MFA method. It requires the Azure Active Directory - Signin Logs data connector.

The query first caches all authentication methods and locations to memory for the last 6 months. It filters the data to include only successful sign-ins with multi-factor authentication. It then extracts the authentication method and removes any empty values. Finally, it selects distinct values for the user principal name, authentication method, and location.

Next, the query finds sign-ins from the last day that have both a new location and MFA method. It filters the data to include only successful sign-ins with multi-factor authentication. It extracts the authentication method and removes any empty values. It selects distinct values for the user principal name, authentication method, app display name, location, and IP address.

Finally, it joins the two sets of data based on the user principal name and location, using a right anti-join to exclude any matching records.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogs

Keywords

Keywords:SigninLogs,TimeGenerated,ResultType,AuthenticationRequirement,multiFactorAuthentication,MfaDetail.authMethod,AuthMethod,UserPrincipalName,Location,materialize,ago,distinct,join,rightanti,AppDisplayName,IPAddress

Operators

materializewhereagoextendisnotemptydistinctjoinkindon

Actions