Query Details
Signin Logs Legacy Protocols Used In Entra ID Authentication
Query
let legacy_auth_protocols = dynamic(["Authenticated SMTP", "AutoDiscover", "Exchange ActiveSync", "Exchange Online PowerShell", "Exchange Web Services", "IMAP4", "MAPI Over HTTP", "Outlook Anywhere (RPC over HTTP)", "Outlook Service", "POP3", "Reporting Web Services", "Other clients"]);
let legacy_user_agents = dynamic(["BAV2ROPC", "CBAinPROD", "CBAinTAR", "MSRPC"]);
let _ExpectedResultTypes = toscalar(
_GetWatchlist("ResultType-SignInLogsErrorCodes")
| where Notes has "[Failure]" and not(Notes has "[Expired]") and isnotempty(ResultDescription)
| summarize make_list(ResultType)
);
let _ExpectedLocations = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "CorporateGeolocation"
| summarize make_list(Auxiliar)
);
let _ExpectedIPRanges = toscalar(
union
(_GetWatchlist("IP-CorporateCollaborators") | where Notes has "[Egress]"),
(_GetWatchlist("IP-Vendors") | where Vendor == "Microsoft" and Notes has "[HomeTenant]")
| summarize make_list(IPAddress)
);
SigninLogs
| where ClientAppUsed in (legacy_auth_protocols) or UserAgent in (legacy_user_agents)
| where not(AuthenticationDetails has "Incorrect password" or RiskState == "remediated")
| where not(ResultType in (_ExpectedResultTypes) and not(ResultDescription has "Sign-in was blocked by built-in protections due to high confidence of risk" or Status has "Sign-in was blocked by built-in protections due to high confidence of risk"))
| where not(isnotempty(parse_ipv4(IPAddress)) and ipv4_is_in_any_range(IPAddress, _ExpectedIPRanges))
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
ResultTypes = make_set(ResultType),
Resources = make_set(ResourceDisplayName),
RiskStates = make_set_if(RiskState, not(RiskState == "none")),
RiskLevelsAggregated = make_set_if(RiskLevelAggregated, not(RiskLevelAggregated == "none")),
RiskEventTypes = make_set(todynamic(RiskEventTypes)),
CorrelationIds = make_set(CorrelationId),
arg_max(TimeGenerated, UserPrincipalName, UserDisplayName, Location, NetworkLocationDetails, ConditionalAccessStatus, ConditionalAccessPolicies)
by UserId, IPAddress, AppDisplayName, AppId, UserAgent, ClientAppUsed
| extend AlertSeverity = case(
Location in (_ExpectedLocations), "Low",
"High"
)
| project
StartTime,
EndTime,
UserPrincipalName,
UserDisplayName,
IPAddress,
Location,
NetworkLocationDetails,
ResultTypes,
AppDisplayName,
Resources,
ClientAppUsed,
UserAgent,
ConditionalAccessStatus,
ConditionalAccessPolicies,
RiskStates,
RiskLevelsAggregated,
RiskEventTypes,
CorrelationIds,
AppId,
UserId,
AlertSeverity
Explanation
This query is designed to analyze sign-in logs and identify potentially suspicious activities related to legacy authentication protocols and user agents. Here's a simplified breakdown of what the query does:
-
Define Legacy Protocols and User Agents: It starts by defining lists of legacy authentication protocols and user agents that are considered less secure or outdated.
-
Fetch Expected Results, Locations, and IP Ranges: It retrieves expected error codes, significant activity locations, and IP ranges from watchlists. These are used to filter out known safe activities.
-
Filter Sign-in Logs: The query filters the sign-in logs to focus on entries that:
- Use legacy authentication protocols or user agents.
- Do not involve incorrect passwords or remediated risks.
- Do not match expected error codes unless they indicate a high-risk sign-in block.
- Do not originate from known safe IP ranges.
-
Summarize Data: It summarizes the filtered data by user and application details, capturing the time range, result types, resources accessed, risk states, and other relevant information.
-
Determine Alert Severity: It assigns an alert severity level based on whether the sign-in location is expected or not, marking unexpected locations as "High" severity and expected ones as "Low".
-
Project Relevant Fields: Finally, it selects and displays key fields such as user details, IP address, location, application details, risk information, and alert severity for further analysis or alerting.
Overall, the query is used to detect and highlight potentially risky sign-in activities that deviate from expected patterns, focusing on legacy authentication methods.
Details
Jose Sebastián Canós
Released: July 30, 2025
Tables
Keywords
Operators