Identity Top20risky Locations
Query
//Find the top 20 IP addresses that are unknown to Azure AD, with users using unknown devices and single factor auth
//Then find the users and applications being accessed from each to help build out conditional access policy
//Data connector required for this query - Azure Active Directory - Signin Logs
let top20locations=
SigninLogs
| where TimeGenerated > ago(30d)
| where ResultType == 0
| extend DeviceTrustType = tostring(DeviceDetail.trustType)
| where NetworkLocationDetails == '[]'
and isempty(DeviceTrustType)
and AuthenticationRequirement == "singleFactorAuthentication"
| summarize Count=count()by IPAddress
| top 20 by Count;
SigninLogs
| where ResultType == 0
| where IPAddress in (top20locations)
| summarize
['Total Signin Count']=count(),
['Distinct User Count']=dcount(UserPrincipalName),
['List of Users']=make_set(UserPrincipalName),
['Distinct Application Count']=dcount(AppDisplayName),
['List of Applications']=make_set(AppDisplayName)
by IPAddressExplanation
This query is looking for the top 20 IP addresses that are unknown to Azure AD, where users are using unknown devices and single factor authentication. It then finds the users and applications being accessed from each of these IP addresses to help build out a conditional access policy. The query requires the Azure Active Directory - Signin Logs data connector.
Details

Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
IPAddressesAzure ADUsersDevicesSingle Factor AuthApplicationsConditional Access Policy
Operators
whereago==extendtostringandisemptysummarizecounttopbyindcountmake_set