Query Details
Identity Single Factor Signins From Priv Users
Query
//Finds users who hold a privileged Azure Active Directory role who are signing into applications using single factor
//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Microsoft Sentinel UEBA
let privusers=
IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where isnotempty(AssignedRoles)
| where AssignedRoles != "[]"
| distinct AccountUPN;
SigninLogs
| where TimeGenerated > ago(30d)
| where UserPrincipalName in~ (privusers)
| where ResultType == 0
| where AuthenticationRequirement == "singleFactorAuthentication"
| summarize
['List of Applications']=make_set(AppDisplayName),
['Count of Applications']=dcount(AppDisplayName)
by UserPrincipalName
| sort by ['Count of Applications'] desc Explanation
This query is looking for users who have privileged roles in Azure Active Directory and are signing into applications using single-factor authentication. It uses data connectors for Azure Active Directory - Signin Logs and Microsoft Sentinel UEBA.
First, it retrieves the identity information for users who have signed in within the last 21 days and have assigned roles. It then filters out any empty or non-existent assigned roles and gets distinct user account names.
Next, it retrieves signin logs for the past 30 days and filters them based on the user account names obtained earlier. It further filters the logs to only include successful sign-ins with single-factor authentication.
Finally, it summarizes the results by grouping them by user account name and provides a list of applications the users have signed into, along with the count of unique applications. The results are sorted in descending order based on the count of applications.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators