KQL Search

Query Details

HomeAI ToolsDevice Query

Password Success From Malicious IP

Query

//Generates an alert if first factor authentication is successful from a known malicious IP address
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultDescription == "Sign-in was blocked because it came from an IP address with malicious activity"
| extend ["Password Result Detail"] = tostring(parse_json(AuthenticationDetails)[0].authenticationStepResultDetail), ["MFA Result Detail"] = tostring(parse_json(AuthenticationDetails)[1].authenticationStepResultDetail)
| where ['Password Result Detail']  has_any ("Correct password", "First factor requirement satisfied by claim in the token")
| project
    TimeGenerated,
    UserPrincipalName,
    UserDisplayName,
    IPAddress,
    Location,
    ResultType,
    ResultDescription,
    AppDisplayName,
    ['Password Result Detail'],
    ['MFA Result Detail'],
    UserAgent

Explanation

This query is designed to generate an alert when a successful first-factor authentication attempt is detected from a known malicious IP address. Here's a breakdown of what the query does:

  1. Data Source: It analyzes data from the SigninLogs table.

  2. Time Filter: It only considers sign-in attempts that occurred in the last hour (TimeGenerated > ago(1h)).

  3. Malicious IP Check: It filters for sign-in attempts that were blocked because they originated from an IP address associated with malicious activity (ResultDescription == "Sign-in was blocked because it came from an IP address with malicious activity").

  4. Authentication Details: It extracts details about the authentication steps:

    • Password Result Detail: Checks if the password was correct or if the first-factor requirement was satisfied by a claim in the token.
    • MFA Result Detail: Extracts details about multi-factor authentication, although it doesn't filter based on this.

  5. Projection: It selects specific fields to display in the results, including:

    • TimeGenerated: When the sign-in attempt occurred.
    • UserPrincipalName and UserDisplayName: The identity of the user attempting to sign in.
    • IPAddress and Location: Information about where the sign-in attempt originated.
    • ResultType and ResultDescription: Details about the outcome of the sign-in attempt.
    • AppDisplayName: The application involved in the sign-in attempt.
    • UserAgent: Information about the device or browser used.

In summary, the query identifies and reports sign-in attempts that were blocked due to originating from a malicious IP, but where the first-factor authentication (like password entry) was successful.

Details

Robbie James profile picture

Robbie James

Released: November 10, 2024

Tables

SigninLogs

Keywords

SigninLogsTimeGeneratedResultDescriptionAuthenticationDetailsUserPrincipalNameUserDisplayNameIPAddressLocationResultTypeAppDisplayNameUserAgent

Operators

SigninLogs|where>ago()where==extend=tostring()parse_json()[]has_any()project

Actions