KQL Search

Query Details

HomeAI ToolsDevice Query

Identity User Tryingto Access Multiple Apps

Query

//Detect users trying to access multiple applications they haven't been granted access to over a short period of time
//In this example alert when a user attempts to access 2 or more unique applications in 30 minutes

//Data connector required for this query - Azure Active Directory - Signin Logs

SigninLogs
| where ResultType == "50105"
| summarize
    ['Denied Application List']=make_set(AppDisplayName),
    ['Count of Applications']=dcount(AppDisplayName)
    by UserPrincipalName, bin(TimeGenerated, 30m)
| where ['Count of Applications'] >= 2

Explanation

This query detects users who are trying to access multiple applications that they haven't been granted access to within a short period of time. Specifically, it alerts when a user attempts to access 2 or more unique applications within a 30-minute timeframe. The query requires the Azure Active Directory - Signin Logs data connector. It filters the logs for entries with a ResultType of "50105" (indicating access denied), groups the data by UserPrincipalName and the time generated (rounded to the nearest 30 minutes), and then filters for users who have attempted to access 2 or more applications.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogs

Keywords

SigninLogs,ResultType,AppDisplayName,UserPrincipalName,TimeGenerated

Operators

wheresummarizemake_setdcountbybin

Actions