search

KQL hunting with Azure and Log Analytics

hashtag
From the Microsoft Entra Admin center on the left for monitoring and health some times it is is hidden under show more. under that tab is Log analyst

Large number of failed authentications - If a user account has a large amount of failed authentications in a short time period, it could be a sign of a brute force or password spray attack. The following KQL example will return all users that have 10+ failed password attempts in the last 24 hours.

SigninLogs
| where TimeGenerated > ago (24hrs)
| where ResultType == "50126"
| summarize event_count = count() by UserPrincipalName 
| where event_count > 9
| project UserPrincipalName, event_count

More Details

SigninLogs
| where ResultType == "50126"
| summarize 
    event_count = count(), 
    StartTime = min(TimeGenerated), 
    EndTime = max(TimeGenerated), 
    IPs = make_set(IPAddress), 
    Apps = make_set(AppDisplayName) 
    by UserPrincipalName 
| where event_count > 9
| project UserPrincipalName, event_count, StartTime, EndTime, IPs, Apps

MFA fatigue attack - An MFA fatigue attack is where the end user is repeatedly bombarded with MFA requests in the hope they will approve one. The number match experience has largely mitigated this type of attack but this is also an indicator that a user's password may have been compromised so needs to be reviewed urgently. The following KQL example will return users that have had 5+ MFA failures or device authentication failures in the last 24 hours.

More Detailed

MFA fraud - If a user reports MFA fraud via authenticator app\phone then it's possible that the user has received an MFA challenge that they did not initiate. This could be a sign that the user's password has been compromised and a MFA fatigue attack is underway. The following KQL example will return users that have either denied MFA or reported fraud.

Count fraud

Account locked out - If a user's account has been locked out (smart lock out) it could indicate that sign-in attempts have come from a known malicious IP address, or the account was locked due to repeated sign-in attempts. The following KQL example will return users that have had their account locked out.

Users successfully authenticating to external Entra ID tenants - If your organization doesn't allow (or tightly controls) access to external Entra ID tenants then you can monitor this. This KQL example shows the user and tenantID of the resource tenant they accessed.

Users that have put in the correct passwords but failed the MFA and are risky users

Users that are risky

hashtag
Resources accessed by user

Lists the resources accessed for a specific user.

hashtag
User count per Resource

How many Users have connected to a resource like AD an exchange

hashtag
User count per Application

How many users are using a certain application like outlook

hashtag
Failed Sign-in reasons

The query list the main reasons for sign in failures.

hashtag
Failed login Count

Resources with most failed log in attempts.

hashtag
Sign-in Locations

Failed and successful sign-ins by source location.

country

hashtag
Sign-ins from Unfamiliar Countries

PreviousKQL hunting email QueriesNextKQL Hunting URLS Queries

Last updated