Query Details

Detect non-admin requesting token for admin applications

Detect User Request Token For Admin App

Query

N/A

About this query

Explanation

This query is designed to detect suspicious sign-in attempts where non-administrative users try to access administrative applications in Entra ID, which is part of Microsoft's identity and access management service. Here's a simplified breakdown of what the query does:

  1. Watchlist of IT Accounts: It starts by retrieving a list of known IT accounts from a watchlist called 'ITAccounts'.

  2. Data Collection: It gathers sign-in logs from the past hour, focusing on applications related to administration, such as PowerShell, CLI, Command Line, and Management Shell.

  3. Filter Sign-in Results: It filters these logs to include only successful sign-ins or those that failed due to no assignment (result types "0" and "50105").

  4. Join with Identity Information: The query enriches this data by joining it with identity information to get more details about the users, such as their roles and departments.

  5. Exclude Admin and IT Roles: It excludes users who have assigned roles, belong to IT-related departments, or have job titles indicating they are service accounts.

  6. Exclude Known IT Accounts: It further filters out any accounts that match the known IT accounts from the watchlist.

  7. Output: Finally, it outputs a distinct list of sign-in attempts, highlighting the time, user, application, IP address, job title, department, and result type for each attempt.

In essence, this query helps identify potentially unauthorized access attempts by non-admin users to admin-level applications, which could indicate a security risk or misuse of credentials.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 28, 2025

Tables

SigninLogsIdentityInfo

Keywords

SigninLogsAppDisplayNameUserPrincipalNameIPAddressUserIdResultTypeIdentityInfoAccountObjectIdAssignedRolesDepartmentJobTitleAccountUPNAccountDisplayName

Operators

letsummarizemake_setmaterializewherehas_anyinjoinkind=leftouterarg_maxonarray_lengthextendtoscalarmv-expandcontainsjoin kind=leftantidistinct

MITRE Techniques

Actions

GitHub