Entra Falcon Detection
Query
// https://blog.compass-security.com/2025/04/introducing-entrafalcon-a-tool-to-enumerate-entra-id-objects-and-assignments/
let QueryPeriod = 1h;
let InteractiveSignin =
SigninLogs
| where TimeGenerated > ago(QueryPeriod)
| where (AppId == "1b730954-1685-4b74-9bfd-dac224a7b894" and
ResourceIdentity == "00000003-0000-0000-c000-000000000000") or
(AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46" and
ResourceIdentity == "00000003-0000-0000-c000-000000000000");
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(QueryPeriod)
| where (AppId == "eb20f3e3-3dce-4d2c-b721-ebb8d4414067" and
ResourceIdentity == "00000003-0000-0000-c000-000000000000") or
(AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46" and
ResourceIdentity == "797f4846-ba00-4fd7-ba43-dac1f8f63013")
| union InteractiveSigninExplanation
This query is designed to analyze sign-in logs from Azure Active Directory (AAD) within the last hour. It focuses on two types of sign-ins: interactive and non-interactive.
-
Interactive Sign-ins: The query filters the
SigninLogstable to find entries where theAppIdandResourceIdentitymatch specific values. These values correspond to known applications and resources within Azure. -
Non-Interactive Sign-ins: Similarly, it filters the
AADNonInteractiveUserSignInLogstable for entries with specificAppIdandResourceIdentityvalues. -
Combining Results: The results from both the interactive and non-interactive sign-ins are combined using the
unionoperator. This provides a comprehensive view of all relevant sign-in activities within the specified time frame.
In summary, the query retrieves and combines specific sign-in activities from Azure Active Directory logs over the past hour, focusing on certain applications and resources.
Details

Steven Lim
Released: May 19, 2025
Tables
Keywords
Operators