KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Risky MFA Requirementfollowedby MF Aregistration

Query

//Detects when a user has a medium or high risk sign in requiring MFA registration (error 50079/50072) followed by successful MFA registration within 2 hours
//This may detect an adversary registering MFA on behalf of your users

//Data connector required for this query - Azure Active Directory - Signin Logs

SigninLogs
| where TimeGenerated > ago (7d)
| where RiskLevelDuringSignIn in ("medium", "high")
| where ResultType in ("50079","50072")
| project
    RiskTime=TimeGenerated,
    UserPrincipalName,
    IPAddress,
    Location,
    ResultType,
    ResultDescription
| join kind=inner(
    AuditLogs
    | where TimeGenerated > ago (7d)
    | where OperationName == "User registered security info"
    | where Result == "success"
    | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
    )
    on UserPrincipalName
| project-rename MFATime=TimeGenerated, MFAResult=ResultDescription1
| where (MFATime - RiskTime) between (0min .. 2h)
| extend TimeDelta=MFATime-RiskTime
| project
    RiskTime,
    MFATime,
    TimeDelta,
    UserPrincipalName,
    IPAddress,
    Location,
    ResultType,
    ResultDescription,
    MFAResult

Explanation

This query detects when a user has a medium or high risk sign-in that requires MFA registration, followed by successful MFA registration within 2 hours. It uses the Azure Active Directory - Signin Logs data connector. The query joins the SigninLogs and AuditLogs tables to get the necessary information. The result includes the risk time, MFA time, time difference, user principal name, IP address, location, result type, result description, and MFA result. This query can help detect if an adversary is registering MFA on behalf of your users.

Details

Matt Zorich profile picture

Matt Zorich

Released: May 29, 2023

Tables

SigninLogsAuditLogs

Keywords

SigninLogs,TimeGenerated,RiskLevelDuringSignIn,ResultType,RiskTime,UserPrincipalName,IPAddress,Location,ResultDescription,AuditLogs,OperationName,Result,UserPrincipalName,TargetResources,TimeGenerated,MFATime,MFAResult,TimeDelta

Operators

|,where,ago,in,project,join,kind=inner,on,project-rename,between,extend

Actions