KQL Search

Query Details

HomeAI ToolsDevice Query

Sign In From External Privileged User Without MFA Claim

Query

id: ac0f93cf-249b-4515-b80e-c0a2ae96cb07
name: Sign-in activity from external (privileged) user without MFA claim in the token.
description: |
  'This query over Azure Active Directory sign-in events will search for external privileged users (based on your defined adminAccountPreffix) without passing MFA requirements as satisfied in token's claim. This could be use as detection for access to inviting tenant without passing MFA requirements in the home tenant."
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |
  let adminAccountPreffix = 'adm';
  union AADNonInteractiveUserSignInLogs, SigninLogs
  | where ResultType == "0" and UserPrincipalName startswith adminAccountPreffix
  | where Status_string !contains "MFA requirement satisfied by claim in the token"
  | project timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.0

Explanation

This query searches for sign-in activity in Azure Active Directory where external privileged users (based on a defined admin account prefix) do not satisfy the MFA requirements in the token's claim. It can be used to detect access to a tenant without meeting MFA requirements in the home tenant. The query frequency is every hour, and it has a medium severity level. The required data connectors are Azure Active Directory, and the relevant technique is T1078. The query selects the timestamp, user account, and IP address of the sign-in events.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AADNonInteractiveUserSignInLogsSigninLogs

Keywords

SigninLogs,AADNonInteractiveUserSignInLogs,ResultType,UserPrincipalName,adminAccountPreffix,Status_string,MFArequirementsatisfiedbyclaiminthetoken,TimeGenerated,UserPrincipalName,IPAddress,AccountCustomEntity,IPCustomEntity,FullName,Address

Operators

whereunion|==startswith!containsproject

Actions