Query Details
Multiple Privileged User Logonfromnew ASN
Query
let query_frequency = 1h;
let query_period = 14d;
let _PartialSuccessResultTypes = toscalar(
_GetWatchlist("ResultType-SignInLogsErrorCodes")
| where Notes has_any ("[Success]", "[Expired]")
| summarize make_list(ResultType)
);
let _HomeTenantId = toscalar(
_GetWatchlist("UUID-AADTenantIds")
| where Notes has "[HomeTenant]"
| summarize make_list(TenantId)
);
let _PrivilegedAccounts = toscalar(
PrivilegedIdentityInfo(query_period, time(null))
| summarize make_list(AccountObjectId)
);
let _PreviousASNs = toscalar(
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated between (ago(query_period) .. ago(query_frequency))
| where isnotempty(AutonomousSystemNumber)
and HomeTenantId in (_HomeTenantId)
and not(UserType == "Guest")
and ResultType in (_PartialSuccessResultTypes)
and UserId in (_PrivilegedAccounts)
| summarize make_set(AutonomousSystemNumber)
);
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(query_frequency)
| where isnotempty(AutonomousSystemNumber)
and HomeTenantId in (_HomeTenantId)
and not(UserType == "Guest")
and ResultType in (_PartialSuccessResultTypes)
and UserId in (_PrivilegedAccounts)
and not(AutonomousSystemNumber in (_PreviousASNs))
| project-reorder
TimeGenerated,
Category,
UserPrincipalName,
UserDisplayName,
IPAddress,
Location,
AutonomousSystemNumber,
ResultType,
ResultDescription,
DeviceDetail*,
UserAgent,
ClientAppUsed,
AppDisplayName,
ResourceDisplayName,
Status*,
AuthenticationDetails,
MfaDetail*,
AuthenticationRequirement,
ConditionalAccessPolicies*,
ConditionalAccessStatus,
Risk*,
HomeTenantId,
ResourceTenantId,
UserId,
OriginalRequestId,
CorrelationId
Explanation
This query is designed to monitor sign-in logs for privileged accounts in a specific tenant over a certain period of time. It checks for sign-ins from new Autonomous System Numbers (ASNs) that have not been used in the past 14 days. The query excludes guest users and only considers sign-ins that have either been successful or expired.
The query first identifies the result types that are considered as partial success (either "[Success]" or "[Expired]") and the tenant ID that is marked as "[HomeTenant]". It then identifies the privileged accounts in the system.
Next, it checks the sign-in logs for the past 14 days to identify the ASNs that have been used by these privileged accounts.
Finally, it checks the sign-in logs for the past hour, filtering for sign-ins from the identified privileged accounts in the home tenant that have used a new ASN (i.e., an ASN not used in the past 14 days). It excludes guest users and only considers the sign-ins with the identified partial success result types.
The output of the query includes detailed information about each of these sign-ins, including the time, user details, IP address, location, ASN, result type and description, device details, user agent, app used, resource accessed, status, authentication details, multi-factor authentication details, conditional access policies and status, risk details, tenant IDs, user ID, and request and correlation IDs.
Details
Jose Sebastián Canós
Released: March 24, 2023
Tables
Keywords
Operators