Sign Ins by compromised account
Entra ID Sign Ins By Compromised Account
Query
let CompromisedAccountUPN = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
let aadFunc = (tableName: string, email: string) {
table(tableName)
| where TimeGenerated > ago(SearchWindow)
| where ResultType == 0
| where UserPrincipalName == email
};
let aadSignin = aadFunc("SigninLogs", CompromisedAccountUPN);
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs", CompromisedAccountUPN);
union isfuzzy=true aadSignin, aadNonInt
// In case of all details remove line below
| project TimeGenerated, Category, Location, AppDisplayName, ClientAppUsed, RiskStateAbout this query
Sign Ins by compromised account
Query Information
Description
List the interactive and noninteractive signins that have been performed by a compromised account. This can be done based on the UPN of the compromised account.
References
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs
- https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/non-interactive-logins-minimizing-the-blind-spot/ba-p/2287932
Sentinel
Explanation
This query is designed to identify and list both interactive and non-interactive sign-ins performed by a specific compromised account within a specified time frame. Here's a simple breakdown of what the query does:
-
Compromised Account Identification: The query focuses on a specific user account identified by the User Principal Name (UPN), in this case, "[email protected]".
-
Time Frame: It looks at sign-in activities that occurred within the last 48 hours, but this time window can be adjusted as needed.
-
Data Sources: The query examines two types of logs:
- Interactive Sign-ins: From the "SigninLogs" table.
- Non-Interactive Sign-ins: From the "AADNonInteractiveUserSignInLogs" table.
-
Successful Sign-ins: It filters the logs to include only successful sign-ins, indicated by a
ResultTypeof 0. -
Combining Results: The query combines the results from both interactive and non-interactive sign-in logs.
-
Output: It displays specific details about each sign-in, including the time it occurred, category, location, application used, client app used, and the risk state.
This query helps in monitoring and investigating sign-in activities of a potentially compromised account to understand the extent and nature of the compromise.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators