Signin Logs Potential Compliant Device Bypass Attempt

// https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/ let query_period = 1h; // let _SuccessResultTypes = toscalar( // _GetWatchlist("ResultType-SignInLogsErrorCodes") // | where Notes has_all ("[Success]", "[Complete]") and isnotempty(ResultDescription) // | summarize make_list(ResultType) // ); // let expected_resource_serviceprincipal_ids = dynamic([]); SigninLogs | where TimeGenerated > ago(query_period) | where AppId == "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" // Microsoft Intune Company Portal and ResourceIdentity == "00000003-0000-0000-c000-000000000000" // Microsoft Graph | where isempty(tostring(DeviceDetail["deviceId"])) // | where ResultType in (_SuccessResultTypes) | join kind=rightsemi ( SigninLogs | where TimeGenerated > ago(query_period) ) on CorrelationId | summarize arg_min(CreatedDateTime, *), ResultTypes = array_sort_asc(make_set(ResultType)), AppIds = array_sort_asc(make_set(AppId)), ResourceIdentities = array_sort_asc(make_set(ResourceIdentity)), ResourceServicePrincipalIds = array_sort_asc(make_set(ResourceServicePrincipalId)) by CorrelationId, UserId, IPAddress // | where not( // ResultTypes has_all ("50097", "50129") // ResultTypes related to Entra registered (Workplace join) // and AppIds has "29d9ed98-a469-4536-ade2-f981bc1d605e" // Microsoft Authentication Broker // and ResourceIdentities has_any (expected_resource_serviceprincipal_ids) // ResourceDisplayName empty and ResourceIdentity == ResourceServicePrincipalId // might be custom by tenant // and ResourceServicePrincipalIds has_any (expected_resource_serviceprincipal_ids) // ResourceDisplayName empty and ResourceIdentity == ResourceServicePrincipalId // might be custom by tenant // ) | project-reorder CreatedDateTime, Category, UserPrincipalName, UserDisplayName, IPAddress, AutonomousSystemNumber, Location, ResultType, ResultDescription, AppDisplayName, ResourceDisplayName, ClientAppUsed, UserAgent, DeviceDetail, AuthenticationRequirement, ConditionalAccessStatus, ConditionalAccessPolicies, AppId, ResourceIdentity, ResourceServicePrincipalId, HomeTenantId, ResourceTenantId, UserType, UserId, OriginalRequestId, CorrelationId

Explanation

This KQL query is designed to analyze sign-in logs, specifically focusing on Microsoft Intune Company Portal interactions with Microsoft Graph. Here's a simplified breakdown of what the query does:

Time Frame: It looks at sign-in logs from the past hour (query_period = 1h).
Filter Criteria:
- It filters logs where the application ID is for the Microsoft Intune Company Portal.
- It checks interactions with Microsoft Graph (identified by a specific ResourceIdentity).
- It specifically looks for logs where the deviceId is empty, indicating that the device information is not available.
Join Operation:
- It performs a semi-join with the same set of sign-in logs to ensure that only logs with matching CorrelationId are considered.
Summarization:
- It summarizes the data by CorrelationId, UserId, and IPAddress.
- For each group, it finds the earliest log entry (arg_min(CreatedDateTime, *)).
- It collects and sorts unique ResultType, AppId, ResourceIdentity, and ResourceServicePrincipalId values.
Projection:
- It reorders the columns to project specific fields like CreatedDateTime, UserPrincipalName, IPAddress, ResultType, AppDisplayName, and others for easier analysis.
Commented Out Sections:
- There are several commented-out sections that suggest additional filtering or conditions that could be applied, such as filtering based on specific ResultTypes related to device registration or specific application IDs.

Overall, the query is designed to identify and analyze sign-in attempts to Microsoft Graph via the Intune Company Portal where device information is missing, potentially highlighting compliance or configuration issues.

KQL Search

Signin Logs Potential Compliant Device Bypass Attempt

Query

Explanation

Details

Actions