-
Notifications
You must be signed in to change notification settings - Fork 2.9k
/
riskySignInToNewMFAMethod.yaml
34 lines (34 loc) · 1.7 KB
/
riskySignInToNewMFAMethod.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
id: 0f57238b-e764-4246-b101-f78bf8c942a7
name: Risky Sign-in with new MFA method
description: |
Looks for a new MFA method added to an account that was preceded by medium or high risk sign-in session for the same user within maximum 6h timeframe
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- AADSignInEventsBeta
tactics:
- Persistence
query: |
let mfaMethodAdded=CloudAppEvents
| where ActionType =~ "Update user."
| where RawEventData has "StrongAuthenticationPhoneAppDetail"
| where isnotempty(RawEventData.ObjectId) and isnotempty(RawEventData.Target[1].ID)
| extend AccountUpn = tostring(RawEventData.ObjectId)
| extend AccountObjectId = tostring(RawEventData.Target[1].ID)
| project MfaAddedTimestamp=Timestamp,AccountUpn,AccountObjectId;
let usersWithNewMFAMethod=mfaMethodAdded
| distinct AccountObjectId;
let hasusersWithNewMFAMethod = isnotempty(toscalar(usersWithNewMFAMethod));
let riskySignins=AADSignInEventsBeta
| where hasusersWithNewMFAMethod
| where AccountObjectId in (usersWithNewMFAMethod)
| where RiskLevelDuringSignIn in ("50","100") //Medium and High sign-in risk level.
| where Application in ("Office 365 Exchange Online", "OfficeHome")
| where isnotempty(SessionId)
| project SignInTimestamp=Timestamp, Application, SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn
| summarize SignInTimestamp=argmin(SignInTimestamp,*) by Application,SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn;
mfaMethodAdded
| join riskySignins on AccountObjectId
| where MfaAddedTimestamp - SignInTimestamp < 6h //Time delta between risky sign-in and device registration less than 6h
| project-away AccountObjectId1