KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Potential App Recon

Query

//Find potentially compromised accounts trying to pivot into other apps by detecting 3 or more distinct Conditional Access failures or 3 or more failures to apps the account has no access to

//Data connector required for this query - Azure Active Directory - Signin Logs

SigninLogs
| where TimeGenerated > ago (1d)
| where ResultType in ("50105", "53003")
| summarize
    TotalCount=count(),
    ['Total Distinct Failed Apps']=make_set(AppDisplayName),
    ['List of distinct failed CA Apps']=make_set_if(AppDisplayName, ResultType == 53003),
    ['List of distinct no access Apps']=make_set_if(AppDisplayName, ResultType == 50105)
    by UserPrincipalName, bin(TimeGenerated, 1h)
| extend
    ['Count of distinct failed CA Apps']=array_length(['List of distinct failed CA Apps']),
    ['Count of distinct failed no access Apps']=array_length(['List of distinct no access Apps'])
| where ['Count of distinct failed CA Apps'] >= 3 or ['Count of distinct failed no access Apps'] >= 3

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting with Azure AD P2 License

AADSignInEventsBeta
| where Timestamp > ago (1d)
| where ErrorCode in ("50105", "53003")
| summarize
    TotalCount=count(),
    ['Total Distinct Failed Apps']=make_set(Application),
    ['List of distinct failed CA Apps']=make_set_if(Application, ErrorCode == 53003),
    ['List of distinct no access Apps']=make_set_if(Application, ErrorCode == 50105)
    by AccountUpn, bin(Timestamp, 1h)
| extend
    ['Count of distinct failed CA Apps']=array_length(['List of distinct failed CA Apps']),
    ['Count of distinct failed no access Apps']=array_length(['List of distinct no access Apps'])
| where ['Count of distinct failed CA Apps'] >= 3 or ['Count of distinct failed no access Apps'] >= 3

Explanation

This query is used to find potentially compromised accounts that are attempting to access other apps. It looks for accounts that have had 3 or more distinct failures in Conditional Access or 3 or more failures in apps that the account does not have access to. The query is run on Azure Active Directory Signin Logs or Advanced Hunting with Azure AD P2 License, depending on the data connector available. The query summarizes the data by user and time, and then filters for accounts that meet the criteria of having 3 or more failures in either category.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 6, 2023

Tables

SigninLogsAADSignInEventsBeta

Keywords

SigninLogs,TimeGenerated,ResultType,AppDisplayName,UserPrincipalName,TotalCount,ListofdistinctfailedCAApps,ListofdistinctnoaccessApps,CountofdistinctfailedCAApps,CountofdistinctfailednoaccessApps AADSignInEventsBeta,Timestamp,ErrorCode,Application,AccountUpn,TotalCount,ListofdistinctfailedCAApps,ListofdistinctnoaccessApps,CountofdistinctfailedCAApps,CountofdistinctfailednoaccessApps

Operators

whereagoinsummarizecountmake_setmake_set_ifbybinextendarray_lengthor

Actions