%3CLINGO-SUB%20id%3D%22lingo-sub-2050571%22%20slang%3D%22en-US%22%3ERe%3A%20Hunt%20for%20Azure%20Active%20Directory%20sign-in%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2050571%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20an%20easy%20way%20to%20convert%20queries%20between%20Sentinel%2C%20Microsoft%20365%2C%20and%20Defender%20for%20Endpoint%3F%26nbsp%3B%20Or%20a%20reference%20document%20to%20help%20map%20functions%20and%20commands%20and%20such%3F%26nbsp%3B%20I%20saw%20post%20and%20said%20%22Great%20stuff!%26nbsp%3B%20Let's%20take%20a%20look%20at%20it%20in%20Sentinel!%22%20but%20many%20of%20the%20expressions%20need%20to%20be%20tweaked.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2040278%22%20slang%3D%22en-US%22%3EHunt%20for%20Azure%20Active%20Directory%20sign-in%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2040278%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20happy%20to%20announce%20the%20public%20preview%20availability%20of%20a%20new%20data%20source%20in%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmtpah%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Defender%20advanced%20hunting%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETwo%20new%20tables%20for%20%3CSTRONG%3EAzure%20Active%20Directory%20sign-ins%20are%20now%20available%20%3C%2FSTRONG%3Ein%20advanced%20hunting%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-aadspnsignineventsbeta-table%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EAADSpnSignInEventsBeta%3C%2FSTRONG%3E%3C%2FA%3E%3CSPAN%3E%3CSTRONG%3E%20%E2%80%93%20%3C%2FSTRONG%3Eincludes%3C%2FSPAN%3E%20service%20principal%20and%20managed%20identities%20sign-in%20events%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-aadsignineventsbeta-table%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EAADSignInEventsBeta%3C%2FSTRONG%3E%3C%2FA%3E%3CSPAN%3E%3CSTRONG%3E%20%E2%80%93%20%3C%2FSTRONG%3Eincludes%20%3C%2FSPAN%3Einteractive%20and%20non-interactive%20sign-in%20events%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ETables%20are%20visible%20for%20%3CU%3Eglobal%20roles%20assigned%20in%20Azure%20Active%20Directory%20only%3C%2FU%3E%2C%20as%20enforced%20by%20Azure%20Active%20Directory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20tables%20are%20suffixed%20with%20%E2%80%9Cbeta%E2%80%9D%20because%20it%20is%20a%20short-term%20solution%20to%20help%20you%20quickly%20identify%20possible%20malicious%20sign-in%20events%20for%20investigation.%20In%20parallel%20to%20making%20this%20data%20available%2C%20we%20are%20working%20on%20a%20more%20robust%20and%20complete%20solution.%20We%20will%20share%20more%20details%20on%20that%20soon.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EHere%20are%20some%20useful%20sample%20queries%20that%20can%20also%20help%20you%20understand%20how%20to%20use%20these%20new%20tables%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20green%3B%22%3E%2F%2F%20Finds%20attempts%20to%20sign%20in%20to%20disabled%20accounts%2C%20listed%20by%20IP%20address%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20blue%3B%22%3Elet%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%20%3CSPAN%20style%3D%22color%3A%20midnightblue%3B%22%3EtimeRange%3C%2FSPAN%3E%20%3D%2014d%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20purple%3B%22%3EAADSignInEventsBeta%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Ewhere%3C%2FSPAN%3E%26nbsp%3B%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ETimestamp%3C%2FSPAN%3E%20%26gt%3B%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eago%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20midnightblue%3B%22%3EtimeRange%3C%2FSPAN%3E)%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EErrorCode%3C%2FSPAN%3E%20%3D%3D%20%3CSPAN%20style%3D%22color%3A%20firebrick%3B%22%3E'50057'%3C%2FSPAN%3E%26nbsp%3B%20%3CSPAN%20style%3D%22color%3A%20green%3B%22%3E%2F%2F%20The%20user%20account%20is%20disabled.%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EStartTime%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Emin%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ETimestamp%3C%2FSPAN%3E)%2C%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EEndTime%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Emax%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ETimestamp%3C%2FSPAN%3E)%2C%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EnumberAccountsTargeted%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Edcount%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EAccountObjectId%3C%2FSPAN%3E)%2C%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20mediumvioletred%3B%22%3EnumberApplicationsTargeted%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Edcount%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EApplicationId%3C%2FSPAN%3E)%2C%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EaccountSet%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Emake_set%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EAccountUpn%3C%2FSPAN%3E)%2C%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EapplicationSet%3C%2FSPAN%3E%3D%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Emake_set%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EApplication%3C%2FSPAN%3E)%2C%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20mediumvioletred%3B%22%3EnumberLoginAttempts%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Ecount%3C%2FSPAN%3E()%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EIPAddress%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Eextend%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3Etimestamp%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EStartTime%3C%2FSPAN%3E%2C%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EIPCustomEntity%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EIPAddress%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Eorder%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EnumberLoginAttempts%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Edesc%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3CU%3E%3C%2FU%3E%3C%2FPRE%3E%0A%3CPRE%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20green%3B%22%3E%2F%2F%20Users%20with%20multiple%20cities%20%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20green%3B%22%3E%2F%2F%20Gets%20a%20list%20of%20users%20that%20signed%20in%20from%20multiple%20locations%20in%20the%20last%2024%20hours%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20purple%3B%22%3EAADSignInEventsBeta%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Ewhere%3C%2FSPAN%3E%26nbsp%3B%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ETimestamp%3C%2FSPAN%3E%20%26gt%3B%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eago%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20midnightblue%3B%22%3E1d%3C%2FSPAN%3E)%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ECountPerCity%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Edcount%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ECity%3C%2FSPAN%3E)%2C%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EcitySet%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Emake_set%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ECity%3C%2FSPAN%3E)%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EAccountUpn%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ECountPerCity%3C%2FSPAN%3E%20%26gt%3B%201%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Eorder%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ECountPerCity%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Edesc%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CPRE%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20purple%3B%22%3E%3CFONT%20color%3D%22%23339966%22%3E%2F%2F%20Most%20active%20Managed%20Identities%3CBR%20%2F%3E%2F%2F%20Gets%20list%20of%20the%20top%20100%20most%20active%20managed%20identities%20in%20the%20last%2024%20hours%20%3C%2FFONT%3E%3CBR%20%2F%3EAADSpnSignInEventsBeta%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ETimestamp%3C%2FSPAN%3E%20%26gt%3B%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eago%3C%2FSPAN%3E(1d)%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EIsManagedIdentity%3C%2FSPAN%3E%20%3D%3D%20True%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ECountPerManagedIdentity%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Ecount%3C%2FSPAN%3E()%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EServicePrincipalId%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Eorder%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ECountPerManagedIdentity%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Edesc%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Etake%3C%2FSPAN%3E%20100%20%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CPRE%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20color%3A%20purple%3B%22%3E%3CFONT%20color%3D%22%23339966%22%3E%2F%2F%20Inactive%20Service%20Principals%20%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3E%2F%2F%20Gets%20list%20of%20service%20principals%20with%20no%20sign-ins%20in%20the%20last%20ten%20days%3C%2FFONT%3E%3CBR%20%2F%3EAADSpnSignInEventsBeta%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ETimestamp%3C%2FSPAN%3E%20%26gt%3B%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eago%3C%2FSPAN%3E(30d)%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EErrorCode%3C%2FSPAN%3E%20%3D%3D%200%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ELastSignIn%3C%2FSPAN%3E%20%3D%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Emax%3C%2FSPAN%3E(%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ETimestamp%3C%2FSPAN%3E)%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3EServicePrincipalId%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ELastSignIn%3C%2FSPAN%3E%20%26lt%3B%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eago%3C%2FSPAN%3E(10d)%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%22%3E%7C%20%3CSPAN%20style%3D%22color%3A%20orangered%3B%22%3Eorder%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20mediumvioletred%3B%22%3ELastSignIn%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Edesc%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3CU%3E%3C%2FU%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3ENote%3A%3C%2FU%3E%20Customers%20who%20can%20access%20Microsoft%20365%20Defender%20through%20the%20Azure%20Security%20Center%E2%80%99s%20integrated%20Microsoft%20Defender%20for%20Endpoint%20solution%2C%20but%20do%20not%20have%20licenses%20for%20any%20of%20Microsoft%20Defender%20for%20Office%2C%20Microsoft%20Defender%20for%20Identity%2C%20or%20Microsoft%20Cloud%20App%20Security%2C%20will%20not%20be%20able%20to%20view%20this%20schema.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2040278%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20happy%20to%20announce%20the%20public%20preview%20availability%20of%20a%20new%20data%20source%20in%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmtpah%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20365%20Defender%20advanced%20hunting%3C%2FA%3E.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AADsigninsBeta.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F244803iF716F78D6B3BED96%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22AADsigninsBeta.png%22%20alt%3D%22AADsigninsBeta.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2045211%22%20slang%3D%22en-US%22%3ERe%3A%20Hunt%20for%20Azure%20Active%20Directory%20sign-in%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2045211%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20the%20new%20Microsoft%20365%20Defender%20allows%20for%20MSSP%20access%20as%20MDFE%20has%20%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2107703%22%20slang%3D%22en-US%22%3ERe%3A%20Hunt%20for%20Azure%20Active%20Directory%20sign-in%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2107703%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BThe%20availability%20of%20non%20interactive%20%3CSPAN%3Esign-in%20events%20proved%20to%20be%20a%20great%20aid%20to%20triage%26nbsp%3B%26nbsp%3BAzure%20Identity%20protection%20events.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20seems%20that%20the%20export%20config%20of%20AAD%20Sign%20in%20logs%20for%20streaming%20events%20to%26nbsp%3B%20hub%20%2FSIEM%20defaults%26nbsp%3B%20as%20%22interactive%22%20only.%26nbsp%3B%20%26nbsp%3BThe%20detailed%20schema%20is%20cool%20!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2109202%22%20slang%3D%22en-US%22%3ERe%3A%20Hunt%20for%20Azure%20Active%20Directory%20sign-in%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2109202%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F735057%22%20target%3D%22_blank%22%3E%40AnalystGuy%3C%2FA%3E%26nbsp%3Bfor%20MDE%20data%20it%20is%20the%20same%20schema%2C%20please%20use%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-microsoft-365-defender-connector-now-in-public%2Fba-p%2F1865651%22%20target%3D%22_self%22%3EMicrosoft%20365%20Defender%20connector%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EEventually%20the%20schema%20will%20be%20the%20same%20and%20all%20data%20will%20be%20streamed%20through%20this%20connector.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

We are happy to announce the public preview availability of a new data source in Microsoft 365 Defender advanced hunting.

 

Two new tables for Azure Active Directory sign-ins are now available in advanced hunting:

Tables are visible for global roles assigned in Azure Active Directory only, as enforced by Azure Active Directory.

 

The tables are suffixed with “beta” because it is a short-term solution to help you quickly identify possible malicious sign-in events for investigation. In parallel to making this data available, we are working on a more robust and complete solution. We will share more details on that soon.

 

Here are some useful sample queries that can also help you understand how to use these new tables:

 

// Finds attempts to sign in to disabled accounts, listed by IP address
let timeRange = 14d;
AADSignInEventsBeta
| where  Timestamp >= ago(timeRange)
| where ErrorCode == '50057'  // The user account is disabled.
| summarize StartTime = min(Timestamp), EndTime = max(Timestamp), numberAccountsTargeted = dcount(AccountObjectId),
numberApplicationsTargeted = dcount(ApplicationId), accountSet = make_set(AccountUpn), applicationSet=make_set(Application),
numberLoginAttempts = count() by IPAddress
| extend timestamp = StartTime, IPCustomEntity = IPAddress
| order by numberLoginAttempts desc
// Users with multiple cities 
// Gets a list of users that signed in from multiple locations in the last 24 hours
AADSignInEventsBeta
| where  Timestamp >= ago(1d)
| summarize CountPerCity = dcount(City), citySet = make_set(City) by AccountUpn
| where CountPerCity > 1
| order by CountPerCity desc
// Most active Managed Identities
// Gets list of the top 100 most active managed identities in the last 24 hours

AADSpnSignInEventsBeta
| where Timestamp > ago(1d)
| where IsManagedIdentity == True
| summarize CountPerManagedIdentity = count() by ServicePrincipalId
| order by CountPerManagedIdentity desc
| take 100
// Inactive Service Principals 
// Gets list of service principals with no sign-ins in the last ten days
AADSpnSignInEventsBeta
| where Timestamp > ago(30d)
| where ErrorCode == 0
| summarize LastSignIn = max(Timestamp) by ServicePrincipalId
| where LastSignIn < ago(10d)
| order by LastSignIn desc

 

Note: Customers who can access Microsoft 365 Defender through the Azure Security Center’s integrated Microsoft Defender for Endpoint solution, but do not have licenses for any of Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.

4 Comments
Senior Member

Does the new Microsoft 365 Defender allows for MSSP access as MDFE has ? 

Occasional Contributor

Is there an easy way to convert queries between Sentinel, Microsoft 365, and Defender for Endpoint?  Or a reference document to help map functions and commands and such?  I saw post and said "Great stuff!  Let's take a look at it in Sentinel!" but many of the expressions need to be tweaked.

Occasional Contributor

@Tali Ash   The availability of non interactive sign-in events proved to be a great aid to triage  Azure Identity protection events.

It seems that the export config of AAD Sign in logs for streaming events to  hub /SIEM defaults  as "interactive" only.   The detailed schema is cool !

Microsoft

@AnalystGuy for MDE data it is the same schema, please use Microsoft 365 Defender connector.

Eventually the schema will be the same and all data will be streamed through this connector.