KQL Search

Query Details

HomeAI ToolsDevice Query

Indicator Of Token Replay Sign In Activity Outside Of Mde Device IP Addresses

Query

let User = "AccountName";
let PublicIp = (DeviceInfo
| mv-expand todynamic(LoggedOnUsers)
| extend ParsedLoggedOnUsers = parse_json(LoggedOnUsers)
| extend LoggedOnUser = tostring(ParsedLoggedOnUsers.UserName)
| where LoggedOnUser contains User
| distinct PublicIP);
AADSignInEventsBeta
| where AccountUpn contains User and IPAddress !in (PublicIp)
| project Timestamp, Application, ResourceDisplayName, LogonType, ErrorCode, SessionId, IPAddress, Country
| join kind=inner (AADSignInEventsBeta | where IPAddress in (PublicIp)) on $left.SessionId == $right.SessionId
| distinct Timestamp, SessionId, Application, ResourceDisplayName, Country, IPAddress, ErrorCode

// Show only event with IPC alerts on SessionId
//| join kind=innerunique (AlertEvidence | extend SessionId = tostring(todynamic(AdditionalFields).SessionId)) on $left.SessionId == $right.SessionId
//| distinct Application, ResourceDisplayName, Country, IPAddress, ErrorCode, DetectionSource, Title

// Show only event with IPC alerts on IPAddress
//| join kind=innerunique (AlertEvidence | extend SessionId = tostring(todynamic(AdditionalFields).SessionId)) on $left.IPAddress == $right.RemoteIP
//| distinct Application, ResourceDisplayName, Country, IPAddress, ErrorCode, DetectionSource, Title

Explanation

The query retrieves AAD sign-in events for a specific user and filters out events where the user's public IP address is not in the list of logged-on users' IP addresses. It then projects specific fields from the events and joins them with another set of AAD sign-in events based on the session ID. The final result includes distinct events with timestamps, session IDs, application names, resource display names, countries, IP addresses, and error codes. There are commented out sections that suggest additional filtering based on IPC alerts either on session ID or IP address.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: October 15, 2023

Tables

AADSignInEventsBetaDeviceInfo

Keywords

User,DeviceInfo,LoggedOnUsers,ParsedLoggedOnUsers,UserName,PublicIP,AADSignInEventsBeta,AccountUpn,IPAddress,Timestamp,Application,ResourceDisplayName,LogonType,ErrorCode,SessionId,Country,AlertEvidence,AdditionalFields,DetectionSource,Title

Operators

mv-expandextendparse_jsonwherecontainsdistinctinprojectjoinoninner$left$right

Actions