NEW Real Time Anomalous Token Detection
Query
// NEW Real-time Anomalous Token Detection
// https://www.linkedin.com/posts/activity-7194744137185701889-XCcu/
// With the new developments from Microsoft Entra Blog, it is now possible to perform Real-time Anomalous Token Detection automatically disrupts token replay attacks in real-time when paired with a risk-based Conditional Access for sign-ins (E.g. RiskLevel = High)
let AnomalousTokenRequestId=
SecurityAlert
| where AlertName == "Anomalous Token"
| mv-expand todynamic(Entities)
| project Entities
| extend RequestId = tostring(Entities.RequestId)
| distinct RequestId;
AADUserRiskEvents
| where RequestId has_any(AnomalousTokenRequestId)
| where DetectionTimingType == "realtime"
| where RiskLevel == "high" and RiskState == "atRisk"
// MITRE ATT&CK Mapping
// The KQL code is designed to detect anomalous token requests and high-risk user events in Azure Active Directory (AAD). Here are the relevant MITRE ATT&CK techniques:
// T1078 - Valid Accounts:
// Description: Adversaries may use valid accounts to maintain access to victim systems.
// Relevance: The detection of anomalous tokens can indicate the use of compromised or unauthorized accounts.
// T1071 - Application Layer Protocol:
// Description: Adversaries may communicate using application layer protocols to avoid detection.
// Relevance: Anomalous token requests might involve unusual or unauthorized use of application layer protocols.
// T1556 - Modify Authentication Process:
// Description: Adversaries may modify authentication mechanisms to gain access.
// Relevance: High-risk events in AAD can indicate attempts to bypass or manipulate authentication processes.
// T1110 - Brute Force:
// Description: Adversaries may use brute force techniques to obtain valid credentials.
// Relevance: High-risk and real-time detection of user risk events can be indicative of brute force attempts.Explanation
This KQL query is designed to detect and respond to suspicious activities related to token usage in Azure Active Directory (AAD). Here's a simplified explanation:
-
Objective: The query aims to identify and address "Anomalous Token" alerts, which are indicative of potentially unauthorized or compromised token usage.
-
Process:
- It first extracts unique request IDs associated with "Anomalous Token" alerts from the
SecurityAlertdata. - Then, it checks the
AADUserRiskEventsdata for any events that match these request IDs. - It filters these events to focus on those detected in real-time, with a high-risk level, and currently in an "at risk" state.
- It first extracts unique request IDs associated with "Anomalous Token" alerts from the
-
Purpose: By identifying these high-risk, real-time anomalous token events, the system can automatically disrupt potential token replay attacks, especially when integrated with risk-based Conditional Access policies.
-
MITRE ATT&CK Techniques:
- T1078 (Valid Accounts): Detecting anomalous tokens can reveal the use of compromised accounts.
- T1071 (Application Layer Protocol): Unusual token requests might involve unauthorized use of protocols.
- T1556 (Modify Authentication Process): High-risk events may indicate attempts to alter authentication processes.
- T1110 (Brute Force): Real-time detection of high-risk events can signal brute force attempts to gain access.
In summary, this query helps enhance security by detecting and mitigating risks associated with anomalous token usage in real-time, leveraging Microsoft's security features and aligning with recognized threat detection frameworks.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators