Identity Potential App Recon
Query
//Find potentially compromised accounts trying to pivot into other apps by detecting 3 or more distinct Conditional Access failures or 3 or more failures to apps the account has no access to
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago (1d)
| where ResultType in ("50105", "53003")
| summarize
TotalCount=count(),
['Total Distinct Failed Apps']=make_set(AppDisplayName),
['List of distinct failed CA Apps']=make_set_if(AppDisplayName, ResultType == 53003),
['List of distinct no access Apps']=make_set_if(AppDisplayName, ResultType == 50105)
by UserPrincipalName, bin(TimeGenerated, 1h)
| extend
['Count of distinct failed CA Apps']=array_length(['List of distinct failed CA Apps']),
['Count of distinct failed no access Apps']=array_length(['List of distinct no access Apps'])
| where ['Count of distinct failed CA Apps'] >= 3 or ['Count of distinct failed no access Apps'] >= 3
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting with Azure AD P2 License
AADSignInEventsBeta
| where Timestamp > ago (1d)
| where ErrorCode in ("50105", "53003")
| summarize
TotalCount=count(),
['Total Distinct Failed Apps']=make_set(Application),
['List of distinct failed CA Apps']=make_set_if(Application, ErrorCode == 53003),
['List of distinct no access Apps']=make_set_if(Application, ErrorCode == 50105)
by AccountUpn, bin(Timestamp, 1h)
| extend
['Count of distinct failed CA Apps']=array_length(['List of distinct failed CA Apps']),
['Count of distinct failed no access Apps']=array_length(['List of distinct no access Apps'])
| where ['Count of distinct failed CA Apps'] >= 3 or ['Count of distinct failed no access Apps'] >= 3Explanation
This query is used to find potentially compromised accounts that are attempting to access other apps. It looks for accounts that have had 3 or more distinct failures in Conditional Access or 3 or more failures in apps that the account does not have access to. The query is run on Azure Active Directory Signin Logs or Advanced Hunting with Azure AD P2 License, depending on the data connector available. The query summarizes the data by user and time, and then filters for accounts that meet the criteria of having 3 or more failures in either category.
Details

Matt Zorich
Released: June 6, 2023
Tables
SigninLogsAADSignInEventsBeta
Keywords
SigninLogsTimeGeneratedResultTypeAppDisplayNameUserPrincipalNameTotalCountList of distinct failed CA AppsList of distinct no access AppsCount of distinct failed CA AppsCount of distinct failed no access Apps
AADSignInEventsBetaTimestampErrorCodeApplicationAccountUpnCount of distinct failed no access Apps
Operators
whereagoinsummarizecountmake_setmake_set_ifbybinextendarray_lengthor