KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Summarize Signinsafter Mailbox Rule

Query

//When Defender for Cloud Apps detects a suspicious mailbox rule created, take that IP address and summarize sign in events for that user and IP address for the last 30 days.

//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
//Data connector required for this query - Azure Active Directory - Signin Logs

//If they have only signed in a few times from that IP it may a sign the account has been compromised and a threat actor has added mailbox rule
let failureCodes = dynamic([50053, 50126, 50055]);
let successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);
SecurityAlert
| where TimeGenerated > ago(1d)
| where AlertName == "Suspicious inbox manipulation rule"
| extend IPAddress = tostring(parse_json(ExtendedProperties).["IP Addresses"])
| project ['Alert Time']=TimeGenerated, Description, IPAddress, UserPrincipalName=CompromisedEntity
| join kind=inner(
    SigninLogs
    | where TimeGenerated > ago (30d)
    )
    on UserPrincipalName, IPAddress
| project
    TimeGenerated,
    ['Alert Time'],
    Description,
    ResultType,
    UserPrincipalName,
    IPAddress,
    NetworkLocationDetails
| summarize
    ['Count of successful sign ins from MFA IP Address'] = countif(ResultType in(successCodes)),
    ['Count of failed sign ins from MFA IP Address'] = countif(ResultType in(failureCodes))
    by UserPrincipalName, Description, IPAddress, NetworkLocationDetails, ['Alert Time']

Explanation

This query looks for suspicious mailbox rules created in Defender for Cloud Apps. If a suspicious rule is detected, it takes the IP address associated with it and summarizes the sign-in events for that user and IP address in the last 30 days. The query uses two data connectors - Security Alert and Azure Active Directory - Signin Logs. It checks if the user has signed in multiple times from that IP address, which could indicate a compromised account. The query then joins the SecurityAlert and SigninLogs tables based on the UserPrincipalName and IPAddress. Finally, it summarizes the count of successful and failed sign-ins from the MFA IP address for each user, along with other relevant information.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SecurityAlertSigninLogs

Keywords

Defender,CloudApps,IPaddress,Signinevents,User,30days,Dataconnector,SecurityAlert,AzureActiveDirectory,SigninLogs,mailboxrule,failureCodes,successCodes,TimeGenerated,AlertName,ExtendedProperties,IPAddress,Description,UserPrincipalName,ResultType,NetworkLocationDetails,CountofsuccessfulsigninsfromMFAIPAddress,CountoffailedsigninsfromMFAIPAddress

Operators

whereextendprojectjoinonsummarizecountifinby

Actions