Password Success From Malicious IP
Query
//Generates an alert if first factor authentication is successful from a known malicious IP address
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultDescription == "Sign-in was blocked because it came from an IP address with malicious activity"
| extend ["Password Result Detail"] = tostring(parse_json(AuthenticationDetails)[0].authenticationStepResultDetail), ["MFA Result Detail"] = tostring(parse_json(AuthenticationDetails)[1].authenticationStepResultDetail)
| where ['Password Result Detail'] has_any ("Correct password", "First factor requirement satisfied by claim in the token")
| project
TimeGenerated,
UserPrincipalName,
UserDisplayName,
IPAddress,
Location,
ResultType,
ResultDescription,
AppDisplayName,
['Password Result Detail'],
['MFA Result Detail'],
UserAgentExplanation
This query is designed to generate an alert when a successful first-factor authentication attempt is detected from a known malicious IP address. Here's a breakdown of what the query does:
-
Data Source: It analyzes data from the
SigninLogstable. -
Time Filter: It only considers sign-in attempts that occurred in the last hour (
TimeGenerated > ago(1h)). -
Malicious IP Check: It filters for sign-in attempts that were blocked because they originated from an IP address associated with malicious activity (
ResultDescription == "Sign-in was blocked because it came from an IP address with malicious activity"). -
Authentication Details: It extracts details about the authentication steps:
Password Result Detail: Checks if the password was correct or if the first-factor requirement was satisfied by a claim in the token.MFA Result Detail: Extracts details about multi-factor authentication, although it doesn't filter based on this.
-
Projection: It selects specific fields to display in the results, including:
TimeGenerated: When the sign-in attempt occurred.UserPrincipalNameandUserDisplayName: The identity of the user attempting to sign in.IPAddressandLocation: Information about where the sign-in attempt originated.ResultTypeandResultDescription: Details about the outcome of the sign-in attempt.AppDisplayName: The application involved in the sign-in attempt.UserAgent: Information about the device or browser used.
In summary, the query identifies and reports sign-in attempts that were blocked due to originating from a malicious IP, but where the first-factor authentication (like password entry) was successful.
Details

Robbie James
Released: November 10, 2024
Tables
Keywords
Operators