KQL Search

Query Details

HomeAI ToolsDevice Query

Signin Logs Azure Portal Signinfromanother Azure Tenant

Query

let _AzureIPRanges = externaldata(changeNumber: string, cloud: string, values: dynamic)
    ["https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json"] with(format='multijson')
    | mv-expand values
    | mv-expand IPAddress = values["properties"]["addressPrefixes"] to typeof(string)
    | distinct IPAddress
    | extend IPAddressType = case(
        isnotempty(parse_ipv4(IPAddress)), "v4",
        (isempty(parse_ipv4(IPAddress)) and isnotempty(parse_ipv6(IPAddress))), "v6",
        ""
        )
    | summarize IPAddressList = make_list(IPAddress) by IPAddressType
;
SigninLogs
| where AppDisplayName has "Azure Portal" and ResultType == 0
| where HomeTenantId != ResourceTenantId and ResourceTenantId == AADTenantId
| extend IPAddressType = case(
    isnotempty(parse_ipv4(IPAddress)), "v4",
    (isempty(parse_ipv4(IPAddress)) and isnotempty(parse_ipv6(IPAddress))), "v6",
    ""
    )
| join kind=inner _AzureIPRanges on IPAddressType
| where case(
    IPAddressType == "v4", ipv4_is_in_any_range(IPAddress, IPAddressList),
    IPAddressType == "v6", ipv6_is_in_any_range(IPAddress, IPAddressList),
    false
    )
| summarize
    StartTime = min(TimeGenerated),
    EndTime = max(TimeGenerated),
    take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @"[a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}")),
    take_anyif(Location, isnotempty(Location)),
    ResultTypes = make_set(ResultType),
    AppDisplayNames = make_set(AppDisplayName),
    ResourceDisplayNames = make_set(ResourceDisplayName),
    UserAgents = make_set(UserAgent)
    by IPAddress, HomeTenantId, ResourceTenantId, UserId
| project
    StartTime,
    EndTime,
    UserPrincipalName,
    IPAddress,
    Location,
    ResultTypes,
    AppDisplayNames,
    ResourceDisplayNames,
    UserAgents,
    HomeTenantId,
    ResourceTenantId,
    UserId

Explanation

The query retrieves Azure IP ranges and then looks for sign-in logs related to the Azure Portal. It matches the IP address type with the Azure IP ranges and summarizes the results based on various criteria such as start time, end time, user details, location, and more.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 19, 2024

Tables

SigninLogs

Keywords

AzureIPRanges,SigninLogs,AppDisplayName,ResultType,HomeTenantId,ResourceTenantId,AADTenantId,IPAddress,IPAddressType,TimeGenerated,UserPrincipalName,Location,ResultTypes,AppDisplayNames,ResourceDisplayNames,UserAgents,UserId.

Operators

mv-expandmv-expanddistinctextendcaseisnotemptyparse_ipv4isemptyparse_ipv6summarizemake_listbywherehas==!=extendjoinkindinneronipv4_is_in_any_rangeipv6_is_in_any_rangefalseminmaxtake_anyifmatches regexisnotemptymake_setproject.

Actions