KQL Search

Query Details

HomeAI ToolsDevice Query

Risky Sign In To Azure Portal

Query

id: d82a024f-bdae-4819-a590-2a8d8318b40b
name: Risky sign-in events to Azure Portal without applied Conditional Access Policies.
description: |
  'This query over Azure Active Directory sign-in events will search for risky sign-in events and non-applied Conditional Access Policies by accessing the Azure Portal."
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |
  union AADNonInteractiveUserSignInLogs, SigninLogs
  | where ConditionalAccessStatus == "notApplied" and ResultType == "0"
  | where RiskLevelDuringSignIn != "none" or RiskLevelAggregated != "none"
  | where UserPrincipalName contains "RiskyGuest"
  | project timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, AppDisplayName, RiskLevelDuringSignIn, RiskLevelAggregated, RiskDetail, RiskState, IsRisky, OriginalRequestId
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

Explanation

This query searches for risky sign-in events to the Azure Portal that do not have applied Conditional Access Policies. It looks at Azure Active Directory sign-in events and checks for events where the Conditional Access Status is "notApplied" and the Result Type is "0". It also filters for events where the Risk Level during sign-in or the aggregated Risk Level is not "none". Additionally, it looks for events where the User Principal Name contains "RiskyGuest". The query retrieves the timestamp, user account, IP address, app display name, risk levels, risk details, risk state, risk status, and original request ID for these events. The query is scheduled to run every hour.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AADNonInteractiveUserSignInLogsSigninLogs

Keywords

Keywords:Riskysign-inevents,AzurePortal,ConditionalAccessPolicies,AzureActiveDirectory,SigninLogs,AADNonInteractiveUserSignInLogs,ConditionalAccessStatus,ResultType,RiskLevelDuringSignIn,RiskLevelAggregated,UserPrincipalName,RiskyGuest,timestamp,AccountCustomEntity,IPCustomEntity,AppDisplayName,RiskDetail,RiskState,IsRisky,OriginalRequestId,FullName,Address,Scheduled

Operators

unionwhere==andorcontainsproject

Actions