KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Single Factor Connectionsto Azure

Query

//Find any single factor sign ins to Azure resources such as the Azure portal

//Data connector required for this query - Azure Active Directory - Signin Logs

//Microsoft Sentinel query
SigninLogs
| where TimeGenerated > ago(7d)
| where AppDisplayName has "Azure"
| where ResultType == 0
| where AuthenticationRequirement == "singleFactorAuthentication"
| summarize ['Single Factor Authentications']=make_set(UserPrincipalName) by AppDisplayName
| extend ['User Count'] = array_length(['Single Factor Authentications'])
| order by ['User Count'] desc

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting with Azure AD P2 License

AADSignInEventsBeta
| where Timestamp > ago(7d)
| where Application has "Azure"
| where ErrorCode == 0
| where LogonType == @"[""interactiveUser""]"
| where AuthenticationRequirement == "singleFactorAuthentication"
| summarize ['Single Factor Authentications']=make_set(AccountUpn) by Application
| extend ['User Count'] = array_length(['Single Factor Authentications'])
| order by ['User Count'] desc

Explanation

The query is looking for single factor sign-ins to Azure resources, specifically the Azure portal. It uses different data connectors depending on the query platform being used (Microsoft Sentinel or Advanced Hunting).

In the Microsoft Sentinel query:

  • It filters the sign-in logs from the past 7 days.
  • It further filters the logs to only include sign-ins to Azure resources with a result type of 0 (successful sign-ins).
  • It narrows down the results to only include sign-ins that used single factor authentication.
  • It groups the sign-ins by the application display name and counts the number of unique users.
  • Finally, it orders the results by the user count in descending order.

In the Advanced Hunting query:

  • It filters the sign-in events from the past 7 days.
  • It further filters the events to only include sign-ins to Azure resources with an error code of 0 (successful sign-ins).
  • It narrows down the results to only include sign-ins that used single factor authentication and interactive user logon type.
  • It groups the sign-ins by the application name and counts the number of unique users.
  • Finally, it orders the results by the user count in descending order.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogsAADSignInEventsBeta

Keywords

SigninLogs,TimeGenerated,AppDisplayName,Azure,ResultType,AuthenticationRequirement,UserPrincipalName,UserCount AADSignInEventsBeta,Timestamp,Application,ErrorCode,LogonType,AuthenticationRequirement,AccountUpn,UserCount

Operators

| where>agohas==summarizemake_setbyextendarray_lengthorder by

Actions