KQL Search

Query Details

HomeAI ToolsDevice Query

Monitoring Potential Sign In Attempts From Airport Networks

Query

**Monitoring potential sign-in Attempts from Airport Networks**

**Description:** This query identifies potential connections from airport perimeters, which can help us identify bad actors using open WIFI's to trigger different attacks.
In addition, this information can help to identify travelling users, which can enrich alerts or incidents related to unknown sign-in attempts properties or tokens.

```
let Airport_Data = externaldata(AirportName:string, maxLatitude: decimal, minLatitude:decimal, maxLongitude:decimal, minLongitude:decimal,iata:string, country: string,maxlatindicator:int)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/Airport_polygon.csv"] with (format="csv", ignoreFirstRecord=True);
AADSignInEventsBeta
| extend Latitude0 = todecimal(Latitude), Longitude0 = todecimal(Longitude)
| extend IntegerPart = toint(Latitude0)
| join kind=inner   (Airport_Data) on $left.IntegerPart == $right.maxlatindicator
| where Latitude0 < minLatitude and Latitude0 < maxLatitude and Longitude0 > minLongitude and Longitude0  < maxLongitude
| summarize make_set(AirportName),  make_set(country),dcount(AirportName) by AccountDisplayName, ErrorCode
```

Explanation

This query is designed to monitor and identify sign-in attempts that originate from airport networks. Here's a simplified breakdown of what the query does:

  1. Load Airport Data: It imports a dataset containing information about airports, including their names, geographical boundaries (latitude and longitude), and country codes. This data is fetched from an external CSV file.

  2. Process Sign-In Events: It accesses a table of Azure Active Directory (AAD) sign-in events, specifically focusing on the latitude and longitude of each sign-in attempt.

  3. Convert Coordinates: The latitude and longitude values from the sign-in events are converted to decimal format for easier comparison.

  4. Join with Airport Data: The query matches sign-in events with the airport data based on the integer part of the latitude, which acts as an indicator for potential proximity to an airport.

  5. Filter for Airport Proximity: It filters the sign-in events to identify those that fall within the geographical boundaries of the airports listed in the dataset.

  6. Summarize Results: Finally, it summarizes the data by creating sets of airport names and countries associated with each account display name and error code. It also counts the distinct number of airports involved.

In essence, this query helps detect sign-in attempts that might be occurring from airport locations, which could indicate either legitimate travel by users or potential malicious activity using airport Wi-Fi networks.

Details

Sergio Albea profile picture

Sergio Albea

Released: October 24, 2024

Tables

AADSignInEventsBeta

Keywords

AirportNetworksConnectionsWifiUsersAlertsIncidentsPropertiesTokensEventsLatitudeLongitudeCountryAccountDisplayNameErrorCode

Operators

letexternaldatawithextendtodecimaltointjoinonwheresummarizemake_setdcountby

Actions