KQL Search

Query Details

HomeAI ToolsDevice Query

Most Attacked VI Ps

Query

//This query estimates the percentage of likely malicious sign in attempts for VIP users
//It uses typical locations, devices, sign in risk, and threat intelligence to determine malicious attempts
//Helps identify VIP users at risk of being locked out by Risk based CA policies
// Load the VVIP Users Watchlist
let VVIPUsers = _GetWatchlist('EntraVVIP')
    | extend AccountUPN = tolower(AccountUPN)
    | project AccountUPN;

// Load some external Threat Intel
let BlockList = (externaldata(ip: string)
    [@"https://rules.emergingthreats.net/blockrules/compromised-ips.txt",
    @"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt",
    @"https://cinsscore.com/list/ci-badguys.txt",
    @"https://lists.blocklist.de/lists/all.txt",
    @"https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt"
    ]
    with(format="csv")
    | where ip matches regex "(^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)"
    | distinct ip
    );

// Query the SignInLogs for the specified time range
let SignInData = SigninLogs
    | where TimeGenerated >= ago(90d)
        and IsInteractive == true
        and HomeTenantId == "aea37347-50ba-4d20-8681-47eaedfab1f8"
    | extend AccountUPN = tolower(UserPrincipalName)
    | where AccountUPN in (VVIPUsers);

// Determine 10 typical locations for VVIP Users by successful, no risk, sign ins
let VVIPLocations = SignInData
    | where ResultType == 0 and RiskLevelDuringSignIn has "none" and IPAddress !in (BlockList)
    | summarize TypicalLocations = make_set(Location, 10) by AccountUPN;

// Determine known devices and managed devices for VVIP Users
let VVIPDevices = SignInData
    | where ResultType == 0 and RiskLevelDuringSignIn has "none" and IPAddress !in (BlockList)
    | extend IsManaged = iff(DeviceDetail.trustType == "Hybrid Azure AD joined" or DeviceDetail.isCompliant == "true", strcat("Yes, Managed ", DeviceDetail.operatingSystem, " Device"), strcat("No, BYOD ", DeviceDetail.operatingSystem, " Device"))
    | summarize TypicalDevices = make_set(IsManaged,10) by AccountUPN;

// Now, put it all together
SignInData
| join kind = leftouter VVIPLocations on AccountUPN
| extend IsTypicalLocation = iff(TypicalLocations has Location, true, false)
| join kind = leftouter VVIPDevices on AccountUPN
| extend IsManaged = iff(DeviceDetail.trustType == "Hybrid Azure AD joined" or DeviceDetail.isCompliant == "true", strcat("Yes, Managed ", DeviceDetail.operatingSystem, " Device"), strcat("No, BYOD ", DeviceDetail.operatingSystem, " Device"))
| extend IsTypicalDevice = iff(TypicalDevices has IsManaged,true, false)
| extend IsMaliciousSignIn = iff(ResultType != 0 and (IsTypicalLocation != true or IsTypicalDevice != true or RiskLevelDuringSignIn in ('Medium','High') or IPAddress in (BlockList)), true, false)
| project-away AccountUPN1, AccountUPN2
| summarize TotalSignIns = count(), MaliciousSignIns = countif(IsMaliciousSignIn == true), TopMaliciousLocations = make_set_if(Location,IsMaliciousSignIn == true, 20) by AccountUPN, UserDisplayName
| project AccountUPN, UserDisplayName, TotalSignIns, PercentLikelyMalicious = round(100.0 * MaliciousSignIns / TotalSignIns, 2), TopMaliciousLocations
| order by PercentLikelyMalicious desc

Explanation

This query is designed to estimate the percentage of potentially malicious sign-in attempts for VIP users within an organization. Here's a simplified breakdown of what the query does:

  1. Load VIP Users: It starts by loading a list of VIP users from a watchlist, ensuring their usernames are in lowercase for consistency.

  2. Load Threat Intelligence: It then loads external threat intelligence data, specifically a list of known malicious IP addresses from various online sources.

  3. Filter Sign-In Logs: The query filters sign-in logs from the past 90 days for interactive sign-ins by these VIP users, ensuring they belong to a specific tenant.

  4. Identify Typical Locations: It identifies up to 10 typical locations for each VIP user based on successful sign-ins that had no associated risk and did not originate from known malicious IPs.

  5. Identify Known Devices: It also identifies typical devices used by these VIP users, distinguishing between managed (trusted) devices and personal (BYOD) devices.

  6. Analyze Sign-Ins: The query then analyzes each sign-in attempt to determine if it is potentially malicious. A sign-in is flagged as malicious if:

    • It was unsuccessful.
    • It originated from an atypical location or device.
    • It had a medium or high risk level.
    • It came from a known malicious IP address.

  7. Summarize Results: Finally, it summarizes the data for each VIP user, calculating the total number of sign-ins, the number of likely malicious sign-ins, and the percentage of sign-ins that are likely malicious. It also lists the top locations associated with these malicious attempts.

  8. Order by Risk: The results are ordered by the percentage of likely malicious sign-ins in descending order, highlighting the VIP users most at risk.

This query helps organizations identify VIP users who might be at risk of account lockouts due to risk-based conditional access policies, allowing them to take proactive measures to secure these accounts.

Details

Jonathan Bourke profile picture

Jonathan Bourke

Released: November 10, 2024

Tables

SigninLogs

Keywords

DevicesUsersSigninsLocationsThreatIntelligence

Operators

letextendtolowerprojectexternaldatawithformatwherematches regexdistinctagoandinsummarizemake_setbyhas!iniffstrcatjoinkindleftouterproject-awaycountcountifmake_set_iforder bydescround

Actions