KQL Search

Query Details

HomeAI ToolsDevice Query

Single Factor Authentication Sign In Using Password Detected

Query

id: cac26183-5f69-4257-964d-5615f21f05ac
name: Single factor authentication sign-in using password detected
version: 1.0.0
kind: Scheduled
description: A user has signed in to Entra ID without providing a second factor using a password. This is a high fidelity indicator that the conditional access design has a loop hole and either an attacker or the valid user has used this to authenticate.
severity: Medium
queryFrequency: 15m
queryPeriod: 20m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |+
  // Alert on single factor authentication using password from either a non compliant device or a non trusted network location
  SigninLogs
  | where ingestion_time() > ago(17m)
  // Query only successfull sign-ins
  | where ResultType == 0
  // Ignore login to Windows
  | where AppDisplayName != "Windows Sign In"
  // Limit to password only authentication
  | extend authenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
  | where authenticationMethod == "Password"
  // Limit to non MFA sign-ins
  | extend authenticationStepRequirement = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)
  | where AuthenticationRequirement != "multiFactorAuthentication"
  // Remove all signins coming from either a trusted network location or a compliant device
  | where NetworkLocationDetails == "[]" and DeviceDetail.isCompliant != true
  // Add UserName and UserUPNSuffix for strong entity match
  | extend UserName = split(UserPrincipalName,'@',0)[0], UserUPNSuffix = split(UserPrincipalName,'@',1)[0]
  | extend DeviceId = tostring(DeviceDetail.deviceId)
  | extend DeviceOperatingSystem = tostring(DeviceDetail.operatingSystem)
  | project-reorder TimeGenerated, UserPrincipalName, authenticationStepRequirement, AuthenticationRequirement, authenticationMethod, AuthenticationProtocol

suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails:
    - DisplayName
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: AadUserId
    columnName: UserId
  - identifier: Name
    columnName: UserName
  - identifier: UPNSuffix
    columnName: UserUPNSuffix
- entityType: Host
  fieldMappings:
  - identifier: AzureID
    columnName: DeviceId
  - identifier: OSFamily
    columnName: DeviceOperatingSystem
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddressFromResourceProvider
suppressionDuration: 5h

Explanation

This query detects when a user signs in to Entra ID without providing a second factor using a password. It looks for successful sign-ins that are not to Windows, limit to password-only authentication, and exclude sign-ins from trusted network locations or compliant devices. It also includes additional information such as the user's username and the device details. The query runs every 15 minutes for a period of 20 minutes. If an incident is created, it will group the incidents based on the user account and provide entity mappings for account, host, and IP. The suppression duration is set to 5 hours.

Details

Fabian Bader profile picture

Fabian Bader

Released: October 7, 2023

Tables

SigninLogs

Keywords

Devices,Intune,User

Operators

where|>ago==!=extendsplitproject-reorder

Actions