KQL Search

Query Details

HomeAI ToolsDevice Query

Risky Sign In Followed By MFA Registration

Query

//This query detects successful risky sign-ins followed by MFA registration
//Helps identify potential adversaries trying to achieve persistence through security info registration
let Threshold = 1440;
let signinEvents = 
    SigninLogs
    | where TimeGenerated >= ago(1d)
    | where ResultType == 0
    | where RiskLevelDuringSignIn in ("high","medium","low")   // Risky sign-ins only
    | extend 
    PWResult = tostring(parse_json(AuthenticationDetails)[0].authenticationStepResultDetail), 
    MFAResult = tostring(parse_json(AuthenticationDetails)[1].authenticationStepResultDetail)
    | project SignInTime = TimeGenerated, UserId = tolower(UserPrincipalName), RiskLevelDuringSignIn, SignInIPAddress = IPAddress, SignInLocation = Location, PWResult, MFAResult;
let authRegEvents = 
    AuditLogs
    | where TimeGenerated >= ago(1d)
    | where OperationName contains "User registered security info"
    | where Result == "success"
    | extend TargetUser = tostring(parse_json(TargetResources)[0].userPrincipalName)
    | extend AuthRegIPAddress = parse_json(tostring(InitiatedBy.user)).ipAddress
    | project AuthRegTime = TimeGenerated, UserId = tolower(TargetUser), OperationName, AuthRegResult = Result, AuthRegIPAddress;
signinEvents
| join kind=inner authRegEvents on UserId 
| where AuthRegTime > SignInTime
| extend ["Minutes between actions"] = datetime_diff('minute', AuthRegTime, SignInTime)
| where ["Minutes between actions"] <= Threshold

Explanation

This query is designed to detect potentially suspicious behavior by identifying cases where a user has a successful risky sign-in followed by a multi-factor authentication (MFA) registration within a short time frame (less than or equal to 1440 minutes, or 24 hours). Here's a simplified breakdown of what the query does:

  1. Define a Time Threshold: The query sets a time threshold of 1440 minutes (24 hours) to filter events.

  2. Identify Risky Sign-ins:

    • It looks at sign-in logs from the past day (ago(1d)).
    • Filters for successful sign-ins (ResultType == 0) that are considered risky (risk levels: high, medium, or low).
    • Extracts details about the password and MFA authentication steps.

  3. Identify MFA Registrations:

    • It examines audit logs from the past day for successful operations where a user registered security information (like MFA).
    • Extracts details about the user and the IP address used for registration.

  4. Join and Filter Events:

    • The query joins the sign-in events with the MFA registration events based on the user ID.
    • It ensures that the MFA registration happened after the risky sign-in.
    • Calculates the time difference between the sign-in and the MFA registration.
    • Filters the results to include only those where the time difference is within the defined threshold (1440 minutes).

The purpose of this query is to help identify potential adversaries who might be trying to establish persistence in a system by registering security information shortly after a risky sign-in.

Details

Robbie James profile picture

Robbie James

Released: November 10, 2024

Tables

SigninLogsAuditLogs

Keywords

SigninLogsAuditLogsAuthenticationDetailsUserPrincipalNameIPAddressLocationOperationNameTargetResourcesInitiatedBy

Operators

letagoinextendtostringparse_jsonprojecttolowercontainsjoinkindonwheredatetime_diff

Actions