KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Visualize Legacy Auth Methods

Query

//Visualize legacy auth method (i.e Activesync, IMAP etc) by distinct user count over time

//Data connector required for this query - Azure Active Directory - Signin Logs

//Microsoft Sentinel query
SigninLogs
| where TimeGenerated > ago(90d)
| where ResultType == 0
| where ClientAppUsed in ("Exchange ActiveSync", "Exchange Web Services", "AutoDiscover", "Unknown", "POP3", "IMAP4", "Other clients", "Authenticated SMTP", "MAPI Over HTTP", "Offline Address Book")
| summarize Count=dcount(UserPrincipalName) by ClientAppUsed, bin (TimeGenerated, 1d)
| render timechart with (title="Legacy auth methods by distinct user over time")

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting with Azure AD P2 License

AADSignInEventsBeta
| where Timestamp > ago(30d)
| where ErrorCode == 0
| where ClientAppUsed in ("Exchange ActiveSync", "Exchange Web Services", "AutoDiscover", "Unknown", "POP3", "IMAP4", "Other clients", "Authenticated SMTP", "MAPI Over HTTP", "Offline Address Book")
| summarize Count=dcount(AccountUpn) by ClientAppUsed, bin (Timestamp, 1d)
| render timechart

Explanation

This query is used to visualize the usage of legacy authentication methods (such as Activesync, IMAP, etc.) over time, based on the Azure Active Directory Signin Logs. It counts the distinct number of users for each authentication method and groups them by the day. The result is then displayed as a time chart. The same query can also be executed using the Advanced Hunting feature with an Azure AD P2 License, using the AADSignInEventsBeta data connector.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogsAADSignInEventsBeta

Keywords

Devices,Intune,User,AzureActiveDirectory,SigninLogs,MicrosoftSentinel,ExchangeActiveSync,ExchangeWebServices,AutoDiscover,Unknown,POP3,IMAP4,Otherclients,AuthenticatedSMTP,MAPIOverHTTP,OfflineAddressBook,AdvancedHunting,AzureADP2License,AADSignInEventsBeta,Timestamp,ErrorCode,AccountUpn

Operators

where>ago==insummarizedcountbybinrender

Actions