KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Activity With Entra ID Break Glass Account

Query

let _BreakGlassUserId = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "EntraIDBreakGlass"
    | summarize make_list(ActorId)
);
union SigninLogs, AADNonInteractiveUserSignInLogs
| where UserId in (_BreakGlassUserId)
| summarize
    StartTime = min(TimeGenerated),
    EndTime = max(TimeGenerated),
    ResultTypes = array_sort_asc(make_set(ResultType, 100)),
    AppDisplayNames = array_sort_asc(make_set(AppDisplayName, 100)),
    ResourcesDisplayNames = array_sort_asc(make_set(ResourceDisplayName, 100)),
    UserAgents = make_set(UserAgent, 100),
    take_any(UserPrincipalName, UserDisplayName, AlternateSignInName)
    by IPAddress, UserId
| project
    StartTime,
    EndTime,
    UserPrincipalName,
    UserDisplayName,
    AlternateSignInName,
    IPAddress,
    ResultTypes,
    AppDisplayNames,
    ResourcesDisplayNames,
    UserAgents,
    UserId

Explanation

This query is designed to monitor and analyze specific user activity in a system.

First, it identifies users who have performed a specific activity, "EntraIDBreakGlass", in a watchlist named "Activity-ExpectedSignificantActivity". The IDs of these users are stored in a variable called "_BreakGlassUserId".

Then, the query looks at two types of logs: SigninLogs and AADNonInteractiveUserSignInLogs. It filters these logs to only include entries where the UserId matches one of the IDs stored in the "_BreakGlassUserId" variable.

For each matching log entry, the query summarizes several pieces of information: the earliest and latest times the activity occurred (StartTime and EndTime), the types of results that occurred (ResultTypes), the names of the apps involved (AppDisplayNames), the names of the resources involved (ResourcesDisplayNames), and the user agents involved (UserAgents). It also takes any available user information (UserPrincipalName, UserDisplayName, AlternateSignInName). This information is grouped by the user's IP address and UserId.

Finally, the query projects (or displays) all of this summarized information.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: September 13, 2023

Tables

_GetWatchlistSigninLogsAADNonInteractiveUserSignInLogs

Keywords

BreakGlassUserId,Activity,ActorId,SigninLogs,AADNonInteractiveUserSignInLogs,UserId,StartTime,EndTime,ResultTypes,AppDisplayNames,ResourcesDisplayNames,UserAgents,UserPrincipalName,UserDisplayName,AlternateSignInName,IPAddress

Operators

toscalar()_GetWatchlist()wheresummarizemake_list()unioninmin()max()array_sort_asc()make_set()take_any()projectby.

Actions