KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Summarize Login Infofrom Malicious IP

Query

//When Azure AD Identity Protection flags an IP Address as malicious, find any successful or failed logon events in your tenant from that IP

//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)

//First create a list of success and erorr codes in Azure AD
let failureCodes = dynamic([50053, 50126, 50055]);
let successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);
//Find the suspicious IP information from the SecurityAlert table, this example looks back 7 days as this is an offline detection
let suspiciousip=
    SecurityAlert
    | where TimeGenerated > ago (7d)
    | where AlertName == "Malicious IP address"
    | extend IPAddress = tostring(parse_json(ExtendedProperties).["Client IP Address"])
    | distinct IPAddress;
//Look back 21 days for any other sign in data from that IP address
SigninLogs
| where TimeGenerated > ago(14d)
| where IPAddress in (suspiciousip)
| where ResultType in(successCodes) or ResultType in(failureCodes)
//Create a summary showing successful and failed logons from that IP address and which users are affected
| summarize
    ['Count of distinct successful sign ins'] = dcountif(UserPrincipalName, (ResultType in(successCodes))),
    ['List of successful users']=make_set_if(UserPrincipalName, (ResultType in(successCodes))),
    ['Successful result codes'] = make_set_if(ResultType, (ResultType in(successCodes))),
    ['Count of distinct failed sign ins'] = dcountif(UserPrincipalName, (ResultType in(failureCodes))),
    ['List of failed users'] = make_set_if(UserPrincipalName, (ResultType in(failureCodes))),
    ['Failed result codes'] = make_set_if(ResultType, (ResultType in(failureCodes)))
    by IPAddress

Explanation

This query is used to find any successful or failed logon events in your tenant from an IP address that has been flagged as malicious by Azure AD Identity Protection.

First, a list of success and error codes in Azure AD is created.

Then, the query looks for suspicious IP information from the SecurityAlert table, specifically for alerts with the name "Malicious IP address" within the last 7 days.

Next, it looks back 14 days in the SigninLogs table for any sign in data from the suspicious IP address. It filters the results based on the success and error codes defined earlier.

Finally, it creates a summary that includes the count of distinct successful and failed sign ins, the list of successful and failed users, and the successful and failed result codes, grouped by the IP address.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SecurityAlertSigninLogs

Keywords

AzureADIdentityProtection,IPAddress,Successfullogonevents,Failedlogonevents,Tenant,AzureActiveDirectory,SigninLogs,SecurityAlert,Defenderproducts,Successcodes,Errorcodes,SuspiciousIPinformation,MaliciousIPaddress,ClientIPAddress,Signindata,ResultType,UserPrincipalName

Operators

letdynamicagowhereextendtostringparse_jsondistinctinorsummarizedcountifmake_set_ifby

Actions