KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Impossible Travel Activity Alerts

Query

let query_frequency = 1h;
let query_period = 7d;
let _HomeTenantDomains = toscalar(
    _GetWatchlist("UUID-AADTenantIds")
    | where Notes has "[HomeTenant]"
    | summarize make_list(Domain)
);
let _UntrustedResultTypes = toscalar(
    _GetWatchlist("ResultType-SignInLogsErrorCodes")
    | where Notes has "[MFA]" and Notes has_any ("[Unconfigured]", "[NotCompliant]")
    | summarize make_list(ResultType)
);
let _ImpossibleTravelAlerts = materialize(
    SecurityAlert
    | where TimeGenerated > ago(query_frequency)
    | where ProductName has "Microsoft Cloud App Security" and ProviderName != "ASI Scheduled Alerts" and AlertName has "Impossible travel activity"
    | where CompromisedEntity has_any (_HomeTenantDomains)
    | extend ExtendedProperties = todynamic(ExtendedProperties)
    | project
        Alert_TimeGenerated = TimeGenerated,
        ProductName,
        AlertName,
        Description,
        AlertSeverity,
        Status,
        Tactics,
        Techniques,
        Entities,
        ExtendedProperties,
        AlertLink
    | lookup kind=leftouter
        (AADUserRiskEvents
        | where TimeGenerated > ago(query_period)
        | where OperationName == "User Risk Detection" and Source == "MicrosoftCloudAppSecurity" and RiskEventType == "mcasImpossibleTravel"
        | summarize arg_max(TimeGenerated, *) by Id
        | mv-apply Auxiliar_AdditionalInfo = AdditionalInfo on (
            where Auxiliar_AdditionalInfo["Key"] == "alertUrl"
            | extend AlertLink = tostring(Auxiliar_AdditionalInfo["Value"])
            )
        | project
            TimeGenerated,
            UserDisplayName,
            UserPrincipalName,
            UserId,
            AdditionalInfo,
            OriginalRequestId = RequestId,
            CorrelationId,
            RiskDetail,
            RiskLevel,
            RiskState,
            AlertLink
        ) on AlertLink
    | as _Alerts
    | lookup kind=leftouter (
        union
            (SigninLogs
            | where TimeGenerated > ago(query_period)
            | where OriginalRequestId in (toscalar(_Alerts | summarize make_list(OriginalRequestId))) and RiskState == "atRisk"
            | extend
                DeviceDetail = tostring(DeviceDetail),
                TimeReceived = _TimeReceived
            ),
            (AADNonInteractiveUserSignInLogs
            | where TimeGenerated > ago(query_period)
            | where OriginalRequestId in (toscalar(_Alerts | summarize make_list(OriginalRequestId))) and RiskState == "atRisk"
            | extend TimeReceived = _TimeReceived
            )
        | summarize
            arg_max(TimeReceived, *),
            MFASuccess_TimeGenerated = minif(TimeGenerated, ConditionalAccessStatus == "success" and AuthenticationRequirement == "multiFactorAuthentication")
            by OriginalRequestId
        | project
            MFASuccess_TimeGenerated,
            RiskEventTypes,
            RiskLevelDuringSignIn,
            RiskLevelAggregated,
            OriginalRequestId
        )
        on OriginalRequestId
);
let _UntrustedUserIds = toscalar(
    union
        (_ImpossibleTravelAlerts
        | join kind=innerunique (
            SigninLogs
            | where TimeGenerated > ago(query_period)
            | where ResultType in (_UntrustedResultTypes)
            | project UserId
            )
            on UserId
        ),
        (AuthenticationMethodChanges(query_period, toscalar(_ImpossibleTravelAlerts | summarize make_set(UserId)), false)
        )
    | summarize make_set(UserId)
);
_ImpossibleTravelAlerts
| extend RecentlyConfiguredMFA = UserId in (_UntrustedUserIds)
| extend BenignAlert = case(
        // Remove cases where Defender for Cloud Apps considers the alert solved and the account had MFA configured long ago
        RiskDetail == "aiConfirmedSigninSafe" and RiskState == "dismissed" and not(RecentlyConfiguredMFA), true,
        false
    )
| where not(BenignAlert and AlertSeverity != "High")
| project
    Alert_TimeGenerated,
    TimeGenerated,
    ProductName,
    AlertName,
    Description,
    AlertLink,
    UserDisplayName,
    UserPrincipalName,
    UserId,
    OriginalRequestId,
    CorrelationId,
    AdditionalInfo,
    ExtendedProperties,
    Entities,
    AlertSeverity,
    Tactics,
    Techniques

Explanation

The query is retrieving security alerts related to impossible travel activity in Microsoft Cloud App Security. It filters the alerts based on certain criteria such as the provider name, compromised entity, and alert severity. It also looks up additional information from other data sources such as AADUserRiskEvents, SigninLogs, and AADNonInteractiveUserSignInLogs. The query then performs some calculations and filtering to determine if the alerts are benign or not. Finally, it selects specific fields from the alerts to be displayed in the results.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: May 4, 2023

Tables

SecurityAlertAADUserRiskEventsSigninLogsAADNonInteractiveUserSignInLogs

Keywords

Devices,Intune,User

Operators

|=;lettoscalar|wherehashas_anysummarizemake_listmaterializeTimeGeneratedagoand!=extendtodynamicprojectlookupkind=leftouteronmv-apply===bymv-applyonasunioninarg_max*toscalarmake_setextendcasenotwhereproject

Actions