KQL Search

Query Details

Detect Potential Consent Fix O Auth Authorisation Code Theft Attempts

Query

//Query from https://sentinel.blog/consentfix-securing-your-tenant-against-oauth-authorisation-code-theft/
//Credit: Toby G
// Focus on non-interactive sign-ins to vulnerable applications from unexpected locations
let VulnerableApps = dynamic([
    "04b07795-8ddb-461a-bbee-02f9e1bf7b46",  // Azure CLI
    "1950a258-227b-4e31-a9cf-717495945fc2",  // Azure PowerShell
    "04f0c124-f2bc-4f59-8241-bf6df9866bbd",  // Visual Studio
    "aebc6443-996d-45c2-90f0-388ff96faa56",  // VS Code
    "12128f48-ec9e-42f0-b203-ea49fb6af367"   // Teams PowerShell
]);
let TimeWindow = 24h;
// Get successful interactive sign-ins
let InteractiveSessions = SigninLogs
| where TimeGenerated > ago(TimeWindow)
| where AppId in (VulnerableApps)
| where ResultType == 0
| where AuthenticationRequirement in ("singleFactorAuthentication", "multiFactorAuthentication")
| extend InteractiveTime = TimeGenerated
| extend LocationDetailsJson = parse_json(LocationDetails)
| extend InteractiveLocation = tostring(LocationDetailsJson.countryOrRegion)
| extend InteractiveCity = tostring(LocationDetailsJson.city)
| project UserPrincipalName, CorrelationId, InteractiveTime, InteractiveLocation, InteractiveCity, IPAddress, AppDisplayName, SessionId = CorrelationId;
// Get non-interactive token requests
let NonInteractiveSessions = AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(TimeWindow)

Explanation

This KQL (Kusto Query Language) query is designed to monitor and identify potential security risks related to OAuth authorization code theft in a Microsoft Azure environment. Here's a simplified breakdown of what the query does:

  1. Define Vulnerable Applications: It starts by listing a set of application IDs that are considered vulnerable. These include Azure CLI, Azure PowerShell, Visual Studio, VS Code, and Teams PowerShell.

  2. Set a Time Window: The query focuses on activities that occurred within the last 24 hours.

  3. Identify Interactive Sign-ins:

    • It searches through sign-in logs to find successful interactive sign-ins (where a user manually logs in) to the vulnerable applications within the specified time window.
    • It filters these sign-ins to only include those that were authenticated using either single-factor or multi-factor authentication.
    • For each sign-in, it extracts details such as the user's principal name, correlation ID, time of sign-in, location (country or region and city), IP address, application display name, and session ID.

  4. Prepare for Non-Interactive Sessions:

    • The query sets up a structure to capture non-interactive sign-ins (where a system or application logs in without user interaction) from the Azure Active Directory logs.
    • This part of the query is incomplete in the provided snippet but is intended to identify non-interactive sign-ins to the same vulnerable applications within the same time window.

Overall, the query aims to detect and analyze sign-in patterns, focusing on non-interactive sign-ins to vulnerable applications from unexpected locations, which could indicate unauthorized access attempts or potential security breaches.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 5, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

SigninLogsAADNonInteractiveUserSignInLogsUserPrincipalNameCorrelationIdTimeGeneratedAppIdResultTypeAuthenticationRequirementLocationDetailsIPAddressAppDisplayNameSessionId

Operators

letdynamicwhereinextendparse_jsontostringprojectago

Actions