KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious AS Ns

Query

union SigninLogs, AADNonInteractiveUserSignInLogs
| where AutonomousSystemNumber in (33438, 25369, 62240, 9009, 60068, 40676, 8100)
| summarize
    min(TimeGenerated),
    max(TimeGenerated),
    ResultTypes = make_set(ResultType),
    IPAddresses = make_set(IPAddress),
    ASNs = make_set(AutonomousSystemNumber),
    AppDisplayNames = make_set(AppDisplayName),
    ClientAppUsed = make_set_if(ClientAppUsed, isnotempty(ClientAppUsed)),
    ResourceDisplayNames = make_set(ResourceDisplayName),
    take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @"[a-f0-9]+\-[a-f0-9]+\-[a-f0-9]+\-[a-f0-9]+\-[a-f0-9]+")),
    take_anyif(UserDisplayName, isnotempty(UserDisplayName))
    by UserId
| project UserPrincipalName, UserDisplayName, min_TimeGenerated, max_TimeGenerated, ResultTypes, IPAddresses, ASNs, AppDisplayNames, ClientAppUsed, ResourceDisplayNames, UserId

Explanation

This query combines two tables, SigninLogs and AADNonInteractiveUserSignInLogs, and filters the results based on a list of Autonomous System Numbers. It then summarizes the data by finding the minimum and maximum TimeGenerated values, creating sets of ResultTypes, IPAddresses, ASNs, AppDisplayNames, and ResourceDisplayNames. It also creates a set of ClientAppUsed values if they are not empty. Additionally, it selects a UserPrincipalName and UserDisplayName that do not match a specific regex pattern and are not empty. Finally, it projects the selected columns and renames some of them for clarity.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: October 14, 2022

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

Devices,Intune,User

Operators

unionwheresummarizemake_setmake_set_iftake_anyifbyproject

Actions