-
Notifications
You must be signed in to change notification settings - Fork 335
/
Identity-DeviceCodePhishing.kql
59 lines (52 loc) · 2.31 KB
/
Identity-DeviceCodePhishing.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
//Detect potential device code phishing by finding sign ins with both a error 50199 (additional approval required) and error code 0 (success)
//Depending on the size of your tenant - or if you have developers or devices using these flows you may get false positives.
//The second query looks for new UserPrincipalNames triggering this sign on flow not previously seen in the last 30 days
//The third query searches for a new combination of both UserPrincipalName AND IPAddress not seen in the last 30 days
//Data connector required for this query - Azure Active Directory - Signin Logs
let suspiciousids=
SigninLogs
| where TimeGenerated > ago (1d)
| where ResultType in (0,50199)
| summarize Results=make_set(ResultType) by CorrelationId
| where Results has_all (0, 50199)
| distinct CorrelationId;
SigninLogs
| where CorrelationId in (suspiciousids)
| project TimeGenerated, UserPrincipalName, Location, IPAddress, UserAgent, ResultType
let knownusers=
SigninLogs
| where TimeGenerated > ago (30d) and TimeGenerated < ago(1d)
| where ResultType in (0,50199)
| summarize Results=make_set(ResultType) by CorrelationId, UserPrincipalName
| where Results has_all (0, 50199)
| distinct UserPrincipalName;
let suspiciousids=
SigninLogs
| where TimeGenerated > ago (1d)
| where ResultType in (0,50199)
| summarize Results=make_set(ResultType) by CorrelationId, UserPrincipalName
| where Results has_all (0, 50199)
| where UserPrincipalName !in (knownusers)
| distinct CorrelationId;
SigninLogs
| where CorrelationId in (suspiciousids)
| project TimeGenerated, UserPrincipalName, Location, IPAddress, UserAgent, ResultType
let suspiciousids=
SigninLogs
| where TimeGenerated > ago (30d) and TimeGenerated < ago(1d)
| where ResultType in (0, 50199)
| summarize Results=make_set(ResultType) by CorrelationId, UserPrincipalName, IPAddress
| where Results has_all (0, 50199)
| distinct UserPrincipalName, IPAddress
| join kind=rightanti (
SigninLogs
| where TimeGenerated > ago (1d)
| where ResultType in (0, 50199)
| summarize Results=make_set(ResultType) by CorrelationId, UserPrincipalName, IPAddress
| where Results has_all (0, 50199)
)
on UserPrincipalName, IPAddress
| distinct CorrelationId;
SigninLogs
| where CorrelationId in (suspiciousids)
| project TimeGenerated, UserPrincipalName, Location, IPAddress, UserAgent, ResultType