Query Details

Identity AAD Risk Event Correlation

Query

//This query will hunt for real time risk events flagged as medium or high that aren't confirmed safe by Microsoft and then enrich that data with information from the IdentityInfo table

//Data connector required for this query - Azure Active Directory - AAD User Risk Events
//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Microsoft Sentinel UEBA

let id=
    IdentityInfo
    | summarize arg_max(TimeGenerated, *) by AccountUPN;
let signin=
    SigninLogs
    | where TimeGenerated > ago (14d)
    | where RiskLevelDuringSignIn in ('high', 'medium')
    | join kind=inner id on $left.UserPrincipalName == $right.AccountUPN
    | extend SigninTime = TimeGenerated
    | where RiskEventTypes_V2 != "[]";
AADUserRiskEvents
| where TimeGenerated > ago (14d)
| extend RiskTime = TimeGenerated
| where DetectionTimingType == "realtime"
| where RiskDetail !has "aiConfirmedSigninSafe"
| join kind=inner signin on CorrelationId
| extend TimeDelta = abs(SigninTime - RiskTime)
| project
    SigninTime,
    UserPrincipalName,
    RiskTime,
    TimeDelta,
    RiskEventTypes,
    RiskLevelDuringSignIn,
    City,
    Country,
    EmployeeId,
    AssignedRoles

Explanation

This query is designed to identify and analyze medium or high-risk events related to user sign-ins that have not been confirmed as safe by Microsoft. It does this by combining data from several sources:

  1. Identity Information: It first gathers the most recent identity information for each user from the IdentityInfo table.

  2. Sign-in Logs: It then looks at sign-in logs from the past 14 days, focusing on those with a medium or high-risk level. It matches these logs with the identity information based on the user's principal name and filters out any events that don't have associated risk event types.

  3. User Risk Events: The query also examines user risk events from the past 14 days, specifically those detected in real-time and not confirmed as safe by Microsoft's AI.

  4. Data Enrichment and Filtering: It combines the sign-in logs and user risk events using a common identifier (CorrelationId) and calculates the time difference between the sign-in and risk event occurrences.

  5. Output: Finally, it outputs a list of relevant details, including the time of sign-in, user principal name, risk event time, time difference between events, risk event types, risk level during sign-in, and additional user information like city, country, employee ID, and assigned roles.

In summary, this query helps security analysts identify potentially unsafe user sign-ins by cross-referencing risk events and sign-in logs, enriching the data with user identity information, and focusing on events that have not been confirmed as safe.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoSigninLogsAADUserRiskEvents

Keywords

IdentityInfoSigninLogsAADUserRiskEventsMicrosoftSentinelUEBAAzureActiveDirectory

Operators

letsummarizearg_maxbywhereinjoinkindon$left==$rightextend!=>ago!hasabsproject

Actions

GitHub