KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Summarize Signin Infoafter MF Aconfig

Query

//When a user registers or updates MFA details, take that IP address and summarize sign in events for that user and IP address for the last 30 days.
//If they have never signed in or signed in a few times from that IP it may a sign the account has been compromised and a threat actor has added MFA details

//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Azure Active Directory - Audit Logs

let failureCodes = dynamic([50053, 50126, 50055]);
let successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info")
| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| project ['MFA Event Time']=TimeGenerated, OperationName, UserPrincipalName, IPAddress
| join kind=inner(
    SigninLogs
    | where TimeGenerated > ago (30d)
    )
    on UserPrincipalName, IPAddress
| project
    TimeGenerated,
    ['MFA Event Time'],
    OperationName,
    ResultType,
    UserPrincipalName,
    IPAddress
| summarize
    ['Count of successful sign ins from MFA IP Address'] = countif(ResultType in(successCodes)),
    ['Count of failed sign ins from MFA IP Address'] = countif(ResultType in(failureCodes))
    by UserPrincipalName, OperationName, IPAddress, ['MFA Event Time']

Explanation

This query is looking at the sign-in events for a user and IP address in the last 30 days after they register or update their MFA details. It checks if the user has never signed in or has only signed in a few times from that IP address, which could indicate a compromised account. The query uses the Azure Active Directory - Signin Logs and Azure Active Directory - Audit Logs data connectors. It filters the audit logs for specific security info operations and extracts the user principal name and IP address. It then joins this data with the sign-in logs based on the user principal name and IP address. The final result summarizes the count of successful and failed sign-ins from the MFA IP address for each user, operation, IP address, and MFA event time.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AuditLogsSigninLogs

Keywords

User,MFA,IPAddress,Signinevents,Last30days,Register,Update,MFAdetails,Compromised,Threatactor

Operators

|,=,let,dynamic,[,],ago,in~,where,extend,tostring,parse_json,project,join,kind=inner,summarize,countif,by

Actions