Query Details

Sign Ins by compromised account

Entra ID Sign Ins By Compromised Account

Query

let CompromisedAccountUPN = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
let aadFunc = (tableName: string, email: string) {
    table(tableName)
    | where TimeGenerated > ago(SearchWindow)
    | where ResultType == 0
    | where UserPrincipalName == email
};
let aadSignin = aadFunc("SigninLogs", CompromisedAccountUPN);
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs", CompromisedAccountUPN);
union isfuzzy=true aadSignin, aadNonInt
// In case of all details remove line below
| project TimeGenerated, Category, Location, AppDisplayName, ClientAppUsed, RiskState

About this query

Sign Ins by compromised account

Query Information

Description

List the interactive and noninteractive signins that have been performed by a compromised account. This can be done based on the UPN of the compromised account.

References

Sentinel

Explanation

This query is designed to identify and list both interactive and non-interactive sign-ins performed by a specific compromised account within a specified time frame. Here's a simple breakdown of what the query does:

  1. Compromised Account Identification: The query focuses on a specific user account identified by the User Principal Name (UPN), in this case, "[email protected]".

  2. Time Frame: It looks at sign-in activities that occurred within the last 48 hours, but this time window can be adjusted as needed.

  3. Data Sources: The query examines two types of logs:

    • Interactive Sign-ins: From the "SigninLogs" table.
    • Non-Interactive Sign-ins: From the "AADNonInteractiveUserSignInLogs" table.
  4. Successful Sign-ins: It filters the logs to include only successful sign-ins, indicated by a ResultType of 0.

  5. Combining Results: The query combines the results from both interactive and non-interactive sign-in logs.

  6. Output: It displays specific details about each sign-in, including the time it occurred, category, location, application used, client app used, and the risk state.

This query helps in monitoring and investigating sign-in activities of a potentially compromised account to understand the extent and nature of the compromise.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

SigninLogsAADNonInteractiveUserSignInLogsUserPrincipalNameTimeGeneratedCategoryLocationAppDisplayNameClientAppUsedRiskState

Operators

lettable|where>ago==unionisfuzzyproject

Actions

GitHub