Query Details
Weird Session Id
Query
AADSignInEventsBeta
| where AccountUpn != AccountObjectId
and (isnotempty(AlternateSignInName) and AccountUpn != AlternateSignInName)
and (ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" or ResourceId == "4765445b-32c6-49b0-83e6-1d93765276ca") // OfficeHome
and ClientAppUsed == "Browser"
| where not(NetworkLocationDetails has '"networkType":"trustedNamedLocation"')
| extend
UPNUserName = tostring(split(AccountUpn, "@")[0]),
AlternateUserName = tostring(split(AlternateSignInName, "@")[0])
| where not(UPNUserName startswith AlternateUserName or AlternateUserName startswith UPNUserName)
| as _Events
| join kind=leftsemi (
AADSignInEventsBeta
| where SessionId in (toscalar(_Events | summarize make_set(SessionId)))
| summarize AlternateSignInNames = make_set(AlternateSignInName), EndpointCalls = make_set(EndpointCall) by SessionId
| where EndpointCalls has "Login:reprocess"
) on SessionId
| project
Timestamp,
LogonType,
AccountUpn,
AlternateSignInName,
IPAddress,
Country,
ErrorCode,
EndpointCall,
Application,
ResourceDisplayName,
ClientAppUsed,
UserAgent,
OSPlatform,
ApplicationId,
ResourceId,
AccountObjectId,
SessionId,
RequestId,
CorrelationId,
ReportId
Explanation
This query is looking at sign-in events in Azure Active Directory where the user's UPN (User Principal Name) is not the same as their Object ID, and they have an Alternate Sign-In Name that is not the same as their UPN. It filters for events related to a specific Office application, where the client app used is a browser and the network location is not a trusted named location. It then extends the data to include separate user names from the UPN and Alternate Sign-In Name, and filters out events where these user names are similar. It joins this data with another set of sign-in events based on Session ID, and projects various attributes related to the sign-in events.
Details
Jose Sebastián Canós
Released: May 7, 2024
Tables
Keywords
Operators