Query Details

Identification Of Risky Users Risk Dismissal Or Account Compromised Confirmation

Query

let Timeframe = 90d;
AuditLogs
    | where TimeGenerated > ago(Timeframe)
    // Choose whether you want to focus on DissmissUser or ConfirmAccountCompromised operations
    //| where OperationName == "DismissUser"
    //| where OperationName == "ConfirmAccountCompromised"
    | extend SuspUser = tostring(TargetResources[0].displayName)
    // Add here the name of the user you want to focus on
    //| where SuspUser contains @""
    | extend SecUser = InitiatedBy.user.userPrincipalName
    // Add here the name of the security operator that confirmed account compromized
    //| where SecUser contains @""
    | project TimeGenerated, SuspUser, SecUser
    | sort by TimeGenerated desc

About this query

Identification of risky users risk dismissal or account compromised confirmation

Description

The following query will identify through Microsoft Entra ID Protection capacity, risky users operations that include risk dismissal or account compromised confirmation.

Microsoft Sentinel

Versioning

VersionDateComments
1.014/12/2023Initial publish

Explanation

This query uses Microsoft Entra ID Protection to identify risky user operations related to risk dismissal or account compromise confirmation. It looks at audit logs within a specified timeframe and filters for specific operations. It then extracts the display name of the targeted user and the user principal name of the security operator who confirmed the account compromise. The results are sorted by the time the operation was generated.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: December 14, 2023

Tables

AuditLogs

Keywords

DevicesIntuneUser

Operators

whereextendprojectsort by

Actions

GitHub