Query Details
Multiple Distinct Accounts Configured MFA With The Same Device
Query
let query_frecuency = 1h;
let query_period = 14d;
let _AuthMethodChanges = materialize(
AuthenticationMethodChanges(query_period=query_period)
| extend
PhoneNumber = extract_all(@'PhoneNumber\"\:\"([^\"]+)', tostring(column_ifexists("StrongAuthenticationUserDetails", dynamic(null)).newValue)),
DeviceToken = extract_all(@'DeviceToken\"\:\"([^\"]+)', tostring(column_ifexists("StrongAuthenticationPhoneAppDetail", dynamic(null)).newValue))
| mv-expand Target = SecurityInfo_TargetResources
| mv-apply ModifiedProperties = Target["modifiedProperties"] on (
summarize BagToUnpack = make_bag(pack(tostring(ModifiedProperties["displayName"]), trim(@'\"', tostring(ModifiedProperties["newValue"]))))
)
| evaluate bag_unpack(BagToUnpack, columnsConflict = 'keep_source', ignoredProperties = dynamic(["Phone.Id", "Phone.PhoneType"]))
| extend ["Phone.PhoneNumber"] = column_ifexists("Phone.PhoneNumber", "")
| extend PhoneNumber = iff(isnotempty(["Phone.PhoneNumber"]), set_union(PhoneNumber, pack_array(["Phone.PhoneNumber"])), PhoneNumber)
| project-away Target, ["Phone.PhoneNumber"]
| mv-expand PhoneNumber to typeof(string), DeviceToken to typeof(string)
| extend DeviceToken = iff(DeviceToken == "NO_DEVICE_TOKEN", "", DeviceToken)
);
let _RepeatedPhoneNumbers = toscalar(
_AuthMethodChanges
| where isnotempty(PhoneNumber)
| summarize DistinctUserCount = dcount(UserId), LastChangeTimeGenerated = max(TimeGenerated) by PhoneNumber
| where DistinctUserCount > 1 and LastChangeTimeGenerated > ago(query_frecuency)
| summarize make_list(PhoneNumber)
);
let _RepeatedDeviceTokens = toscalar(
_AuthMethodChanges
| where isnotempty(DeviceToken)
| summarize DistinctUserCount = dcount(UserId), LastChangeTimeGenerated = max(TimeGenerated) by DeviceToken
| where DistinctUserCount > 1 and LastChangeTimeGenerated > ago(query_frecuency)
| summarize make_list(DeviceToken)
);
_AuthMethodChanges
| where PhoneNumber in (_RepeatedPhoneNumbers) or DeviceToken in (_RepeatedDeviceTokens)
| project-reorder
TimeGenerated,
ActorPrincipalName,
IPAddress,
OperationName,
TargetUserPrincipalName,
Result,
ResultDescription,
PhoneNumber,
DeviceToken,
Strong*,
LoggedByService,
InitiatedBy,
UpdateUser_TargetResources,
SecurityInfo_TargetResources,
UserId,
CorrelationId
Explanation
This query is designed to identify and analyze changes in authentication methods over a period of 14 days, with a frequency of 1 hour. It extracts phone numbers and device tokens from the authentication details and expands the target resources.
The query then unpacks the modified properties and extends the phone number column. If a phone number is not empty, it is added to the phone number set. The query then projects away the target and phone number columns and expands the phone number and device token columns to strings.
The query then identifies repeated phone numbers and device tokens by counting the distinct users associated with each phone number and device token and the last time they were changed. If a phone number or device token is associated with more than one user and was changed within the last hour, it is added to a list of repeated phone numbers or device tokens.
Finally, the query returns all changes in authentication methods where the phone number or device token is in the list of repeated phone numbers or device tokens. The results are reordered to show the time generated, actor principal name, IP address, operation name, target user principal name, result, result description, phone number, device token, strong authentication details, logged by service, initiated by, update user target resources, security info target resources, user ID, and correlation ID.
Details
Jose Sebastián Canós
Released: December 15, 2022
Tables
Keywords
Operators