KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Account Configured MFA With Phone Numbers From Distinct Countries

Query

let query_frequency = 1h;
let _ExpectedCountryCodes = toscalar(
    _GetWatchlist('Activity-ExpectedSignificantActivity')
    | where Activity == "CorporateCountryCallingCode"
    | summarize make_list(Auxiliar)
);
AuthenticationMethodChanges(query_period=query_frequency)
| extend PhoneNumber = extract_all(@'PhoneNumber\"\:\"([^\"]+)', tostring(column_ifexists("StrongAuthenticationUserDetails", dynamic(null)).newValue))
| mv-expand Target = SecurityInfo_TargetResources
| mv-apply ModifiedProperties = Target["modifiedProperties"] on (
    summarize BagToUnpack = make_bag(pack(tostring(ModifiedProperties["displayName"]), trim(@'\"', tostring(ModifiedProperties["newValue"]))))
    )
| evaluate bag_unpack(BagToUnpack, columnsConflict = 'keep_source', ignoredProperties = dynamic(["Phone.Id", "Phone.PhoneType"]))
| extend ["Phone.PhoneNumber"] = column_ifexists("Phone.PhoneNumber", "")
| extend PhoneNumber = iff(isnotempty(["Phone.PhoneNumber"]), set_union(PhoneNumber, pack_array(["Phone.PhoneNumber"])), PhoneNumber)
| project-away Target, ["Phone.PhoneNumber"]
| where array_length(PhoneNumber) > 1
| extend DistinctCountryCodes = set_union(extract_all(@'\"(\+\d+)\s+', tostring(PhoneNumber)), dynamic(null))
| where array_length(DistinctCountryCodes) > 1
| where not(array_length(set_difference(DistinctCountryCodes, _ExpectedCountryCodes)) == 0)
| project-reorder
    TimeGenerated,
    ActorPrincipalName,
    IPAddress,
    OperationName,
    TargetUserPrincipalName,
    Result,
    ResultDescription,
    PhoneNumber,
    DistinctCountryCodes,
    Strong*,
    LoggedByService,
    InitiatedBy,
    UpdateUser_TargetResources,
    SecurityInfo_TargetResources,
    UserId,
    CorrelationId

Explanation

This query is designed to monitor changes in authentication methods over a one-hour period. It specifically looks for changes in phone numbers associated with user accounts.

First, it extracts a list of expected country calling codes from a watchlist named 'Activity-ExpectedSignificantActivity'.

Then, it checks for changes in the 'StrongAuthenticationUserDetails' field, which contains phone number information. It unpacks the modified properties of the target resources and extracts the phone number details.

If more than one phone number is found for a user, it extracts the country codes from these numbers. If more than one distinct country code is found, and these codes are not part of the expected codes, the query will return these records.

The final output is a list of events where the phone number associated with a user's account has been changed, sorted by various fields such as time generated, actor principal name, IP address, operation name, target user principal name, result, result description, phone number, distinct country codes, and others.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: December 30, 2022

Tables

AuthenticationMethodChanges_GetWatchlist

Keywords

QueryFrequency,ExpectedCountryCodes,AuthenticationMethodChanges,PhoneNumber,SecurityInfoTargetResources,ModifiedProperties,BagToUnpack,Phone.PhoneNumber,DistinctCountryCodes,TimeGenerated,ActorPrincipalName,IPAddress,OperationName,TargetUserPrincipalName,Result,ResultDescription,Strong,LoggedByService,InitiatedBy,UpdateUserTargetResources,UserId,CorrelationId

Operators

lettoscalar_GetWatchlistwheresummarizemake_listextendextract_alltostringcolumn_ifexistsmv-expandmv-applymake_bagpacktrimevaluatebag_unpackcolumnsConflictignoredPropertiesdynamicisnotemptyset_unionpack_arrayproject-awayarray_lengthiffset_differencenotproject-reorder.

Actions