NEW Real Time Anomalous Token Detection

// NEW Real-time Anomalous Token Detection // https://www.linkedin.com/posts/activity-7194744137185701889-XCcu/ // With the new developments from Microsoft Entra Blog, it is now possible to perform Real-time Anomalous Token Detection automatically disrupts token replay attacks in real-time when paired with a risk-based Conditional Access for sign-ins (E.g. RiskLevel = High) let AnomalousTokenRequestId= SecurityAlert | where AlertName == "Anomalous Token" | mv-expand todynamic(Entities) | project Entities | extend RequestId = tostring(Entities.RequestId) | distinct RequestId; AADUserRiskEvents | where RequestId has_any(AnomalousTokenRequestId) | where DetectionTimingType == "realtime" | where RiskLevel == "high" and RiskState == "atRisk"

Explanation

This KQL (Kusto Query Language) query is designed to detect and respond to real-time anomalous token activities, specifically focusing on high-risk scenarios. Here's a simplified breakdown:

Identify Anomalous Tokens:
- The query first searches for security alerts with the name "Anomalous Token".
- It extracts and lists unique RequestId values associated with these alerts.
Filter High-Risk Events:
- It then looks into AADUserRiskEvents (Azure Active Directory User Risk Events) to find events that match any of the identified RequestId values.
- It filters these events to only include those detected in real-time (DetectionTimingType == "realtime"), with a high risk level (RiskLevel == "high"), and currently at risk (RiskState == "atRisk").

In essence, this query helps in automatically identifying and responding to high-risk, real-time anomalous token activities, potentially disrupting token replay attacks as they occur.

KQL Search

NEW Real Time Anomalous Token Detection

Query

Explanation

Details

Actions