Query Details
Microsoft Entra Identity Attack Threat Detection
Query
//Microsoft Entra Identity Attack Threat Detection //https://www.linkedin.com/pulse/microsoft-entra-identity-attack-threat-detection-steven-lim-tycnc/ let companydomain = "@contoso.com"; //update your corporate domain AzureActivity | where TimeGenerated > ago(1h) | where CategoryValue == "Administrative" | where Caller contains "@" and Caller !contains companydomain
Explanation
This query is designed to detect potential identity attacks within the last hour by focusing on administrative activities in Microsoft Entra (formerly Azure AD). Here's a simple breakdown:
- Set Company Domain: It defines the corporate domain as "@contoso.com".
- Filter Azure Activities: It looks at Azure activity logs from the past hour.
- Focus on Administrative Actions: It filters the logs to only include activities categorized as "Administrative".
- Identify External Callers: It further narrows down the results to activities where the caller's email contains an "@" symbol (indicating an email address) but does not contain the company's domain (i.e., the caller is not from the company).
In summary, this query helps identify administrative actions performed by external users (not from the company's domain) within the last hour.
Details
Steven Lim
Released: August 2, 2024
Tables
AzureActivity
Keywords
AzureActivityTimeGeneratedCategoryValueCaller
Operators
let>ago()|where==contains!contains