KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple User Reported Suspicious Activity

Query

let query_frequency = 5m;
let query_period = 2d;
AADUserRiskEvents
| where TimeGenerated > ago(query_frequency)
| where OperationName == "User Risk Detection" and Source == "EndUserReported" and RiskEventType == "userReportedSuspiciousActivity"
| summarize arg_max(TimeGenerated, *) by Id
| project
    //TimeGenerated,
    OperationName,
    Source,
    Activity,
    UserDisplayName,
    UserPrincipalName,
    UserId,
    RiskEventType,
    RiskState,
    RiskDetail,
    RiskLevel
| as _Events
| lookup kind=leftouter (
    (SigninLogs
    | where TimeGenerated > ago(query_period)
    | where AuthenticationDetails has "SuspiciousActivityReported" or Status has "SuspiciousActivityReported"
    | where UserId in (toscalar(_Events | summarize make_list(UserId)))
    | extend
        DeviceDetail = tostring(DeviceDetail),
        TimeReceived = _TimeReceived
    )
    | summarize
        arg_max(TimeReceived, *)
        by OriginalRequestId
    | project
        TimeGenerated,
        Type,
        // UserPrincipalName,
        // UserDisplayName,
        IPAddress,
        Location,
        ResultType,
        ResultDescription,
        ClientAppUsed,
        AppDisplayName,
        ResourceDisplayName,
        DeviceDetail,
        UserAgent,
        AuthenticationDetails,
        UserId,
        OriginalRequestId,
        CorrelationId
    ) on UserId
| project
    TimeGenerated,
    OperationName,
    Source,
    Activity,
    UserDisplayName,
    UserPrincipalName,
    RiskEventType,
    RiskState,
    RiskDetail,
    RiskLevel,
    Type,
    IPAddress,
    Location,
    ResultType,
    ResultDescription,
    ClientAppUsed,
    AppDisplayName,
    ResourceDisplayName,
    DeviceDetail,
    UserAgent,
    AuthenticationDetails,
    UserId,
    OriginalRequestId,
    CorrelationId

Explanation

This query is designed to analyze user risk events and sign-in logs for suspicious activity reported by end users. It looks at data from the last 5 minutes and the past 2 days.

First, it filters the 'AADUserRiskEvents' table for events where the operation was "User Risk Detection", the source was "EndUserReported", and the risk event type was "userReportedSuspiciousActivity". It then selects the most recent event for each unique ID.

Next, it matches these events with corresponding entries in the 'SigninLogs' table from the past 2 days, where the authentication details or status contain "SuspiciousActivityReported". It does this by matching the 'UserId' field in both tables.

Finally, it projects or displays selected fields from both tables, including details about the operation, user, risk event, sign-in event, and device used. This information can be used to investigate the reported suspicious activity.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 25, 2023

Tables

AADUserRiskEventsSigninLogs

Keywords

TimeGenerated,OperationName,Source,Activity,UserDisplayName,UserPrincipalName,UserId,RiskEventType,RiskState,RiskDetail,RiskLevel,Type,IPAddress,Location,ResultType,ResultDescription,ClientAppUsed,AppDisplayName,ResourceDisplayName,DeviceDetail,UserAgent,AuthenticationDetails,OriginalRequestId,CorrelationId

Operators

letwhere==agoandsummarizearg_maxbyprojectaslookupkind=leftouterintoscalarmake_listextendtostringon.

Actions