Query Details
Identification Of Risky Users Risk Dismissal Or Account Compromised Confirmation
Query
# Identification of risky users risk dismissal or account compromised confirmation
## Description
The following query will identify through Microsoft Entra ID Protection capacity, risky users operations that include risk dismissal or account compromised confirmation.
### Microsoft Sentinel
```
let Timeframe = 90d;
AuditLogs
| where TimeGenerated > ago(Timeframe)
// Choose whether you want to focus on DissmissUser or ConfirmAccountCompromised operations
//| where OperationName == "DismissUser"
//| where OperationName == "ConfirmAccountCompromised"
| extend SuspUser = tostring(TargetResources[0].displayName)
// Add here the name of the user you want to focus on
//| where SuspUser contains @""
| extend SecUser = InitiatedBy.user.userPrincipalName
// Add here the name of the security operator that confirmed account compromized
//| where SecUser contains @""
| project TimeGenerated, SuspUser, SecUser
| sort by TimeGenerated desc
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 14/12/2023 | Initial publish |
Explanation
This query uses Microsoft Entra ID Protection to identify risky user operations related to risk dismissal or account compromise confirmation. It looks at audit logs within a specified timeframe and filters for specific operations. It then extracts the display name of the targeted user and the user principal name of the security operator who confirmed the account compromise. The results are sorted by the time the operation was generated.
Details
Michalis Michalos
Released: December 14, 2023
Tables
AuditLogs
Keywords
Devices,Intune,User
Operators
whereextendprojectsort by