Indicator Of Token Replay Sign In Activity Outside Of Mde Device IP Addresses
Query
let User = "AccountName";
let PublicIp = (DeviceInfo
| mv-expand todynamic(LoggedOnUsers)
| extend ParsedLoggedOnUsers = parse_json(LoggedOnUsers)
| extend LoggedOnUser = tostring(ParsedLoggedOnUsers.UserName)
| where LoggedOnUser contains User
| distinct PublicIP);
EntraIdSignInEvents
| where AccountUpn contains User and IPAddress !in (PublicIp)
| project Timestamp, Application, ResourceDisplayName, LogonType, ErrorCode, SessionId, IPAddress, Country
| join kind=inner (EntraIdSignInEvents | where IPAddress in (PublicIp)) on $left.SessionId == $right.SessionId
| distinct Timestamp, SessionId, Application, ResourceDisplayName, Country, IPAddress, ErrorCode
// Show only event with IPC alerts on SessionId
//| join kind=innerunique (AlertEvidence | extend SessionId = tostring(todynamic(AdditionalFields).SessionId)) on $left.SessionId == $right.SessionId
//| distinct Application, ResourceDisplayName, Country, IPAddress, ErrorCode, DetectionSource, Title
// Show only event with IPC alerts on IPAddress
//| join kind=innerunique (AlertEvidence | extend SessionId = tostring(todynamic(AdditionalFields).SessionId)) on $left.IPAddress == $right.RemoteIP
//| distinct Application, ResourceDisplayName, Country, IPAddress, ErrorCode, DetectionSource, TitleExplanation
This KQL query is designed to analyze and correlate sign-in events and potential security alerts related to a specific user account. Here's a simplified breakdown of what the query does:
-
Identify Public IPs:
- It starts by defining a user account (
User = "AccountName"). - It extracts and expands the list of users logged onto devices (
DeviceInfotable) to find the specific user. - It collects distinct public IP addresses associated with this user's logins.
- It starts by defining a user account (
-
Filter Sign-In Events:
- It then looks at sign-in events (
EntraIdSignInEvents) for the specified user. - It filters out events where the IP address is not in the list of previously identified public IPs.
- It then looks at sign-in events (
-
Project Relevant Information:
- From these filtered events, it selects specific fields like timestamp, application, resource name, logon type, error code, session ID, IP address, and country.
-
Correlate with Known IPs:
- It performs an inner join on the
SessionIdto correlate these events with those that have known public IPs. - It ensures that only distinct combinations of timestamp, session ID, application, resource name, country, IP address, and error code are retained.
- It performs an inner join on the
-
Optional Alert Correlation:
- The query includes commented-out sections that, if activated, would further refine the results by joining with
AlertEvidenceto find events with specific security alerts. - These sections allow for additional filtering based on alerts related to session IDs or IP addresses, showing only events with security alerts.
- The query includes commented-out sections that, if activated, would further refine the results by joining with
In essence, the query is used to identify and analyze sign-in events for a specific user, focusing on those that occur from unexpected IP addresses, and optionally correlating these with security alerts for further investigation.
Details

Thomas Naunheim
Released: November 8, 2025
Tables
DeviceInfoEntraIdSignInEvents
Keywords
DeviceInfoEntraIdSignInEventsAlertEvidence
Operators
letmv-expandtodynamicextendparse_jsontostringwherecontainsdistinctinprojectjoinon==!inkind=innerkind=innerunique