Query Details
Multiple Potential Golden SAML Authentication
Query
SigninLogs
| where IncomingTokenType has "saml11" and Status["additionalDetails"] has "MFA requirement satisfied by claim provided by external provider"// and MfaDetail == "{}" and AuthenticationDetails == "[]"
// and TokenProtectionStatusDetails["signInSessionStatus"] == "unbound" and ResultType in (0, 399218)
// and ((isempty(ResourceIdentity) and AppId == "72782ba9-4490-4f03-8d82-562370ea3566") // Office 365
// or ResourceIdentity == "4765445b-32c6-49b0-83e6-1d93765276ca") // OfficeHome
// or a PowerShell app could also be used
| join kind=rightsemi (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs, ADFSSignInLogs) on CorrelationId
| as _Events
| where isempty(SessionId)
| union (
union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs, ADFSSignInLogs
| where SessionId in (toscalar(_Events | where isnotempty(SessionId) | summarize make_set(SessionId)))
)
| summarize
AppDisplayNames = array_sort_asc(make_set(AppDisplayName, 100)),
ResourceDisplayNames = array_sort_asc(make_set(ResourceDisplayName, 100)),
CorrelationIds = make_set(CorrelationId, 100),
arg_min(CreatedDateTime, *)
by UserId, IPAddress, Location, ResultType, ClientAppUsed, UserAgent, IncomingTokenType, SessionId, HomeTenantId, ResourceTenantId, TokenIssuerType
| sort by UserPrincipalName asc, CreatedDateTime asc
| project
CreatedDateTime,
UserPrincipalName,
UserDisplayName,
IPAddress,
Location,
AutonomousSystemNumber,
ResultType,
ResultDescription,
Status = coalesce(tostring(Status_dynamic), Status_string),
AppDisplayNames,
ResourceDisplayNames,
ClientAppUsed,
UserAgent,
DeviceDetail = coalesce(tostring(DeviceDetail_dynamic), DeviceDetail_string),
TokenIssuerType,
IncomingTokenType,
TokenProtectionStatusDetails = coalesce(tostring(TokenProtectionStatusDetails_dynamic), TokenProtectionStatusDetails_string),
SessionId,
HomeTenantId,
ResourceTenantId,
CrossTenantAccessType,
UserType,
UserId,
CorrelationIds
Explanation
This query is designed to analyze sign-in logs, focusing on specific conditions and summarizing the results. Here's a simplified breakdown:
-
Filter Sign-in Logs: The query starts by filtering sign-in logs to find entries where:
- The token type is "saml11".
- The status indicates that multi-factor authentication (MFA) was satisfied by an external provider.
-
Join with Other Logs: It then joins these filtered logs with other types of sign-in logs (AADNonInteractiveUserSignInLogs and ADFSSignInLogs) based on a common identifier (CorrelationId).
-
Session Filtering: The query checks for entries with empty SessionId and combines them with logs that have specific SessionIds found in the previous step.
-
Summarize Data: It summarizes the data by grouping it based on user and session details, and collects various attributes like application names, resource names, and correlation IDs.
-
Sort and Project: Finally, it sorts the results by user principal name and creation date, and selects specific fields to display, such as:
- User and session details (e.g., UserPrincipalName, UserDisplayName, SessionId).
- Sign-in details (e.g., IPAddress, Location, ResultType).
- Application and resource information (e.g., AppDisplayNames, ResourceDisplayNames).
- Token and authentication details (e.g., IncomingTokenType, TokenIssuerType).
Overall, this query is used to analyze and summarize specific sign-in events, focusing on those involving SAML 1.1 tokens and external MFA claims, and provides a detailed view of user sign-in activities.
Details
Jose Sebastián Canós
Released: May 8, 2025
Tables
Keywords
Operators