KQL Search

Query Details

HomeAI ToolsDevice Query

Identity SSP Rfollowedby Risky Signin

Query

//Detect when a successful self service password (SSPR) event is followed by a medium or high risk sign in within 2 hours
//Threat actors are known to socially engineer helpdesk staff to update MFA methods to allow them to complete SSPR

//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Azure Active Directory - Audit Logs

//Looks back 7 days by default for events within 2 hours of each other, but you can update to suit

let successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Reset password (self-service)"
| where ResultDescription == "Successfully completed reset."
| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| project-rename PasswordResetTime=TimeGenerated
| project UserPrincipalName, PasswordResetTime, OperationName
| join kind=inner(
SigninLogs
    | where TimeGenerated > ago(7d)
    | where ResultType in (successCodes)
    | where RiskLevelDuringSignIn in ("high", "medium")
    | project
        RiskTime=TimeGenerated,
        UserPrincipalName,
        ResultType,
        ResultDescription,
        AppDisplayName,
        IPAddress,
        Location,
        UserAgent
    )
    on UserPrincipalName
| extend ['Time Between Events']=datetime_diff('minute', PasswordResetTime, RiskTime)
| project-reorder
    PasswordResetTime,
    RiskTime,
    ['Time Between Events'],
    UserPrincipalName,
    OperationName,
    ResultType,
    ResultDescription,
    AppDisplayName
| where ['Time Between Events'] <= 120

Explanation

This query detects when a successful self-service password reset event is followed by a medium or high-risk sign-in event within 2 hours. It looks for these events in the Azure Active Directory Signin Logs and Audit Logs data connectors. By default, it looks back 7 days for events within 2 hours of each other, but this can be adjusted. The query joins the relevant information from both data connectors and calculates the time between the password reset and sign-in events. It then filters the results to only include events where the time between events is less than or equal to 120 minutes.

Details

Matt Zorich profile picture

Matt Zorich

Released: May 4, 2023

Tables

AuditLogsSigninLogs

Keywords

Devices,Intune,User,SigninLogs,AuditLogs,TimeGenerated,OperationName,ResultDescription,UserPrincipalName,TargetResources,PasswordResetTime,successCodes,RiskLevelDuringSignIn,ResultType,AppDisplayName,IPAddress,Location,UserAgent,RiskTime,['TimeBetweenEvents']

Operators

| where| extend| project-rename| project| join| datetime_diff| project-reorder

Actions