KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Sensitive Account Authentication In AD FS From Unexpected Device

Query

let _ExpectedDomain = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "DomainJoinedLDAP"
    | summarize make_list(Auxiliar)
);
let _Identities =
    IdentityInfo
    | where TimeGenerated > ago(14d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
;
IdentityLogonEvents
| where TimeGenerated > ago(1h)
| where ActionType == "LogonSuccess" and Protocol in ("Adfs", "NTLM") and isnotempty(DeviceName) and not(DeviceName has_any (_ExpectedDomain))
| summarize hint.shufflekey=TimeGenerated
    Protocols = array_sort_asc(make_set(Protocol)),
    DeviceNames = array_sort_asc(make_set(DeviceName)),
    LogonTypes = array_sort_asc(make_list(LogonType))
    by AccountUpn, TimeGenerated
| where Protocols has_all ("Adfs", "NTLM") and LogonTypes has_all ("Logon with ADFS authentication", "Resource access")
| lookup kind=leftouter _Identities on $left.AccountUpn == $right.AccountUPN
| where SourceSystem has "ActiveDirectory" or UserAccountControl has "PasswordNeverExpires"
| project
    TimeGenerated,
    AccountUpn,
    DeviceNames,
    LogonTypes,
    Protocols,
    UserAccountControl,
    AccountDisplayName,
    JobTitle,
    Manager,
    Department,
    OnPremisesDistinguishedName,
    Tags,
    GroupMembership,
    AssignedRoles,
    SourceSystem,
    AccountSID,
    AccountObjectId

Explanation

This query retrieves information about identity logon events. It first gets a list of expected domains for significant activity. Then, it retrieves identity information for the past 14 days. Next, it filters logon events that occurred within the past hour and meet certain criteria, such as successful logons with specific protocols and device names that are not in the expected domain list. It then summarizes the results by account UPN and time generated. It further filters the results to include only logon events with specific protocols and logon types. It performs a left outer join with the identity information and filters the results based on certain conditions, such as the source system being Active Directory or the user account having a password that never expires. Finally, it projects specific fields from the results.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: August 16, 2023

Tables

IdentityInfoIdentityLogonEvents

Keywords

Keywords:let,toscalar,_GetWatchlist,where,summarize,make_list,IdentityInfo,TimeGenerated,ago,arg_max,AccountUPN,IdentityLogonEvents,ActionType,Protocol,isnotempty,has_any,summarize,hint.shufflekey,array_sort_asc,make_set,make_list,by,has_all,lookup,kind=leftouter,$left.AccountUpn,$right.AccountUPN,SourceSystem,UserAccountControl,project,TimeGenerated,AccountUpn,DeviceNames,LogonTypes,Protocols,UserAccountControl,AccountDisplayName,JobTitle,Manager,Department,OnPremisesDistinguishedName,Tags,GroupMembership,AssignedRoles,SourceSystem,AccountSID,AccountObjectId

Operators

lettoscalar_GetWatchlist|where==summarizemake_list=IdentityInfoTimeGeneratedagosummarizearg_maxbyAccountUPNIdentityLogonEventsActionTypeProtocolinisnotemptyandnothas_anysummarizehint.shufflekeyarray_sort_ascmake_setbyAccountUpnTimeGeneratedhas_alllookupkind=leftouteron$left.AccountUpn==$right.AccountUPNSourceSystemorUserAccountControlproject

Actions