Big Yellow Taxi - SignIn Based
Big Yellow Taxi Sign In
Query
let DefaultInboxFolders = pack_array("Inbox", "Drafts", "Sent Items", "Archive", "rss", "Inbox", "Deleted Items", "Junk Email");
let BinSize = 30m;
let TimeFrame = 14d;
let MaxSuccess = 10;
let MailBoxSyncOperations = CloudAppEvents
// List all MailItemsAccessed that are created because of a sync audit activity.
// The audit volume for sync operations is huge. So, instead of generating an audit record for each mail item that's synched, we generate an audit event for the mail folder containing items that were synched and assume that all mail items in the synched folder have been compromised.
// Info: https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts?view=o365-worldwide#auditing-sync-access
| where ActionType == "MailItemsAccessed"
| extend MailAccessType = toint(RawEventData.RecordType), IsThrottled = tostring(parse_json(RawEventData.OperationCount))
| where MailAccessType == 2
// Parse synchronised folders. All FolderNames should be considered compromised.
| extend ParentFolder = parse_json(RawEventData.Item).ParentFolder
| extend SyncedFolder = tostring(ParentFolder.Name), Path = tostring(ParentFolder.Path), MailboxGuid = tostring(parse_json(RawEventData.MailboxGuid)), UserId = tolower(parse_json(RawEventData.UserId))
| summarize TotalFolers = dcount(SyncedFolder), Folders = make_set(SyncedFolder) by bin(TimeGenerated, BinSize), UserId, IPAddress, MailboxGuid;
let LargeSyncOperations = MailBoxSyncOperations
// Filter & enrich results
| where TotalFolers >= array_length(DefaultInboxFolders)
| extend GeoIPInfo = geo_info_from_ip_address(IPAddress)
| extend country = tostring(parse_json(GeoIPInfo).country);
LargeSyncOperations
| join kind=inner (AADSignInEventsBeta | where TimeGenerated > startofday(ago(TimeFrame)) and LogonType == '["interactiveUser"]' | project ErrorCode, AccountUpn = tolower(AccountUpn), IPAddress | summarize TotalSuccess = countif(ErrorCode == 0), TotalFailed = countif(ErrorCode != 0) by AccountUpn, IPAddress) on $left.IPAddress == $right.IPAddress, $left.UserId == $right.AccountUpn
// Filter only on IPs with low successrate
| where TotalSuccess <= MaxSuccessAbout this query
Explanation
This KQL query is designed to detect potential security breaches involving email accounts, specifically focusing on suspicious mailbox synchronization activities. Here's a simplified explanation:
-
Purpose: The query aims to identify instances where an IP address with a low rate of successful interactive sign-ins is used to synchronize a mailbox. This could indicate that an unauthorized actor has compromised a user's credentials and is accessing their email.
-
Context: The query is part of a detection strategy named "Big Yellow Taxi," which was developed following a security incident at the State Department in 2023. The incident involved unauthorized access to mail systems, and the detection strategy focuses on analyzing logs related to mailbox access.
-
Data Sources:
- For Defender XDR, the query uses data from
CloudAppEventsandAADSignInEventsBetatables. - For Sentinel, it uses
OfficeActivityandSigninLogstables.
- For Defender XDR, the query uses data from
-
Process:
- The query first identifies mailbox synchronization activities by looking for specific audit events (
MailItemsAccessed) that indicate a folder in a mailbox has been accessed. - It then checks if the number of folders accessed is significant, suggesting a large-scale synchronization.
- The query enriches this data with geographical information based on the IP address.
- It joins this information with sign-in logs to find IP addresses with a low success rate of interactive sign-ins (10 or fewer successful logins within a 14-day timeframe).
- The query first identifies mailbox synchronization activities by looking for specific audit events (
-
Outcome: By filtering for IP addresses with low successful sign-in rates, the query helps identify potentially compromised accounts where an attacker might be synchronizing a mailbox without the legitimate user's knowledge.
-
Risk: The main risk addressed by this query is the unauthorized synchronization of mailboxes, which could lead to data breaches or information theft.
In summary, this query is a security measure to detect and investigate suspicious email access patterns that could indicate a compromised account.
Details

Bert-Jan Pals
Released: November 28, 2024
Tables
Keywords
Operators
MITRE Techniques