Query Details
Security Alert Find Signinsfor Anomalous Token
Query
//When an anomalous token alert is flagged, find the specific risk events that flagged the alert
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
//Data connector required for this query - Azure Active Directory - AAD User Risk Events
let alerts=
SecurityAlert
| where TimeGenerated > ago(1d)
| where AlertName == "Anomalous Token"
| mv-expand todynamic(Entities)
| project Entities
| extend RequestId = tostring(Entities.SessionId)
| distinct RequestId;
//Detections can be offline so retrieve a weeks worth of risk data
AADUserRiskEvents
| where TimeGenerated > ago(7d)
| where RequestId in (alerts)
| project TimeGenerated, UserPrincipalName, RiskEventType, RiskLevel, DetectionTimingType, IpAddress, LocationExplanation
This query is looking for specific risk events that flagged an anomalous token alert. It uses two data connectors: Security Alert and Azure Active Directory - AAD User Risk Events.
First, it retrieves the alerts from the SecurityAlert table that occurred within the last day and have the AlertName "Anomalous Token". It then expands the Entities column, selects only the Entities column, and assigns the SessionId as the RequestId. Finally, it removes any duplicate RequestIds.
Next, it retrieves risk events from the AADUserRiskEvents table that occurred within the last week. It filters the events based on the RequestId values obtained from the previous step. The query projects the TimeGenerated, UserPrincipalName, RiskEventType, RiskLevel, DetectionTimingType, IpAddress, and Location columns from the AADUserRiskEvents table.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators