Query Details
Identity Summarize Legacy Auth
Query
//Summarize legacy auth authentications by type (such as ActiveSync, IMAP etc) and which accounts are using those protocols
//Data connector required for this query - Azure Active Directory - Signin Logs
//Microsoft Sentinel query
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(30d)
| where ResultType == 0
| where ClientAppUsed in ("Exchange ActiveSync", "Exchange Web Services", "AutoDiscover", "Unknown", "POP3", "IMAP4", "Other clients", "Authenticated SMTP", "MAPI Over HTTP", "Offline Address Book")
| summarize ['Count of legacy auth attempts'] = count()by ClientAppUsed, UserPrincipalName
| sort by ClientAppUsed asc, ['Count of legacy auth attempts'] desc
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting with Azure AD P2 License
AADSignInEventsBeta
| where Timestamp > ago(30d)
| where ErrorCode == 0
| where ClientAppUsed in ("Exchange ActiveSync", "Exchange Web Services", "AutoDiscover", "Unknown", "POP3", "IMAP4", "Other clients", "Authenticated SMTP", "MAPI Over HTTP", "Offline Address Book")
| summarize ['Count of legacy auth attempts'] = count()by ClientAppUsed, AccountUpn
| sort by ClientAppUsed asc, ['Count of legacy auth attempts'] desc Explanation
This query summarizes legacy authentication attempts by type (such as ActiveSync, IMAP, etc.) and identifies the accounts that are using those protocols. It requires the Azure Active Directory - Signin Logs data connector for Microsoft Sentinel query and the Advanced Hunting with Azure AD P2 License data connector for the Advanced Hunting query. The query filters the data based on a specific time range and successful authentication results. It then groups the data by the type of client application used and the user account associated with it. The results are sorted in ascending order by the client application type and descending order by the count of legacy authentication attempts.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators