Query Details
Indicator Of Token Replay Sign In Activity Outside Of Mde Device IP Addresses
Query
let User = "AccountName"; let PublicIp = (DeviceInfo | mv-expand todynamic(LoggedOnUsers) | extend ParsedLoggedOnUsers = parse_json(LoggedOnUsers) | extend LoggedOnUser = tostring(ParsedLoggedOnUsers.UserName) | where LoggedOnUser contains User | distinct PublicIP); EntraIdSignInEvents | where AccountUpn contains User and IPAddress !in (PublicIp) | project Timestamp, Application, ResourceDisplayName, LogonType, ErrorCode, SessionId, IPAddress, Country | join kind=inner (EntraIdSignInEvents | where IPAddress in (PublicIp)) on $left.SessionId == $right.SessionId | distinct Timestamp, SessionId, Application, ResourceDisplayName, Country, IPAddress, ErrorCode // Show only event with IPC alerts on SessionId //| join kind=innerunique (AlertEvidence | extend SessionId = tostring(todynamic(AdditionalFields).SessionId)) on $left.SessionId == $right.SessionId //| distinct Application, ResourceDisplayName, Country, IPAddress, ErrorCode, DetectionSource, Title // Show only event with IPC alerts on IPAddress //| join kind=innerunique (AlertEvidence | extend SessionId = tostring(todynamic(AdditionalFields).SessionId)) on $left.IPAddress == $right.RemoteIP //| distinct Application, ResourceDisplayName, Country, IPAddress, ErrorCode, DetectionSource, Title
Explanation
This KQL query is designed to analyze and correlate sign-in events and potential security alerts related to a specific user account. Here's a simplified breakdown of what the query does:
-
Identify Public IPs:
- It starts by defining a user account (
User = "AccountName"). - It extracts and expands the list of users logged onto devices (
DeviceInfotable) to find the specific user. - It collects distinct public IP addresses associated with this user's logins.
- It starts by defining a user account (
-
Filter Sign-In Events:
- It then looks at sign-in events (
EntraIdSignInEvents) for the specified user. - It filters out events where the IP address is not in the list of previously identified public IPs.
- It then looks at sign-in events (
-
Project Relevant Information:
- From these filtered events, it selects specific fields like timestamp, application, resource name, logon type, error code, session ID, IP address, and country.
-
Correlate with Known IPs:
- It performs an inner join on the
SessionIdto correlate these events with those that have known public IPs. - It ensures that only distinct combinations of timestamp, session ID, application, resource name, country, IP address, and error code are retained.
- It performs an inner join on the
-
Optional Alert Correlation:
- The query includes commented-out sections that, if activated, would further refine the results by joining with
AlertEvidenceto find events with specific security alerts. - These sections allow for additional filtering based on alerts related to session IDs or IP addresses, showing only events with security alerts.
- The query includes commented-out sections that, if activated, would further refine the results by joining with
In essence, the query is used to identify and analyze sign-in events for a specific user, focusing on those that occur from unexpected IP addresses, and optionally correlating these with security alerts for further investigation.
Details
Thomas Naunheim
Released: November 8, 2025
Tables
DeviceInfoEntraIdSignInEvents
Keywords
DeviceInfoEntraIdSignInEventsAlertEvidence
Operators
letmv-expandtodynamicextendparse_jsontostringwherecontainsdistinctinprojectjoinon==!inkind=innerkind=innerunique