Query Details

Risky sign-in events to Azure Portal without applied Conditional Access Policies.

Risky Sign In To Azure Portal

Query

union AADNonInteractiveUserSignInLogs, SigninLogs
| where ConditionalAccessStatus == "notApplied" and ResultType == "0"
| where RiskLevelDuringSignIn != "none" or RiskLevelAggregated != "none"
// Azure Portal: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
| where AppId in ("c44b4083-3bb0-49c1-b47d-974e53cbdf3c")
| project timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, AppDisplayName, RiskLevelDuringSignIn, RiskLevelAggregated, RiskDetail, RiskState, IsRisky, OriginalRequestId

Explanation

This query is designed to identify risky sign-in events to the Azure Portal where Conditional Access Policies were not applied. It checks Azure Active Directory sign-in logs for instances where:

  1. Conditional Access Policies were not applied (ConditionalAccessStatus == "notApplied").
  2. The sign-in was successful (ResultType == "0").
  3. There was some level of risk associated with the sign-in (RiskLevelDuringSignIn != "none" or RiskLevelAggregated != "none").
  4. The sign-in was specifically to the Azure Portal (identified by the AppId).

The query runs every hour and looks back over the past hour to find any such events. If it finds any, it triggers an alert. The results include details like the timestamp, user account, IP address, application name, risk levels, risk details, and the original request ID. The query is part of a scheduled task and is associated with the "Initial Access" tactic and the "T1078" technique, which relates to valid accounts being used for access.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: November 18, 2023

Tables

AADNonInteractiveUserSignInLogsSigninLogs

Keywords

AzureActiveDirectorySigninLogsAADNonInteractiveUserSignInConditionalAccessPoliciesPortalRiskyEvents

Operators

unionwhereorinproject

Severity

Medium

Tactics

InitialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub