Hunt for Azure Active Directory sign-in events

Tali Ash · ‎Jan 07 2021

We are happy to announce the public preview availability of a new data source in Microsoft 365 Defender advanced hunting.

Two new tables for Azure Active Directory sign-ins are now available in advanced hunting:

AADSpnSignInEventsBeta – includes service principal and managed identities sign-in events
AADSignInEventsBeta – includes interactive and non-interactive sign-in events

Tables are visible for global roles assigned in Azure Active Directory only, as enforced by Azure Active Directory.

The tables are suffixed with “beta” because it is a short-term solution to help you quickly identify possible malicious sign-in events for investigation. In parallel to making this data available, we are working on a more robust and complete solution. We will share more details on that soon.

Here are some useful sample queries that can also help you understand how to use these new tables:

// Finds attempts to sign in to disabled accounts, listed by IP address
let timeRange = 14d;
AADSignInEventsBeta 
| where  Timestamp >= ago(timeRange)
| where ErrorCode == '50057'  // The user account is disabled.
| summarize StartTime = min(Timestamp), EndTime = max(Timestamp), numberAccountsTargeted = dcount(AccountObjectId),
numberApplicationsTargeted = dcount(ApplicationId), accountSet = make_set(AccountUpn), applicationSet=make_set(Application),
numberLoginAttempts = count() by IPAddress
| extend timestamp = StartTime, IPCustomEntity = IPAddress
| order by numberLoginAttempts desc

// Users with multiple cities 
// Gets a list of users that signed in from multiple locations in the last 24 hours
AADSignInEventsBeta 
| where  Timestamp >= ago(1d)
| summarize CountPerCity = dcount(City), citySet = make_set(City) by AccountUpn 
| where CountPerCity > 1
| order by CountPerCity desc

// Most active Managed Identities
// Gets list of the top 100 most active managed identities in the last 24 hours 
AADSpnSignInEventsBeta
| where Timestamp > ago(1d)
| where IsManagedIdentity == True
| summarize CountPerManagedIdentity = count() by ServicePrincipalId
| order by CountPerManagedIdentity desc
| take 100

// Inactive Service Principals 
// Gets list of service principals with no sign-ins in the last ten days
AADSpnSignInEventsBeta
| where Timestamp > ago(30d)
| where ErrorCode == 0
| summarize LastSignIn = max(Timestamp) by ServicePrincipalId
| where LastSignIn < ago(10d)
| order by LastSignIn desc

Note: Customers who can access Microsoft 365 Defender through the Azure Security Center’s integrated Microsoft Defender for Endpoint solution, but do not have licenses for any of Microsoft Defender for Office 365, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.

zneuman · ‎Jan 09 2021

Does the new Microsoft 365 Defender allows for MSSP access as MDFE has ?

AnalystGuy · ‎Jan 11 2021

Is there an easy way to convert queries between Sentinel, Microsoft 365, and Defender for Endpoint? Or a reference document to help map functions and commands and such? I saw post and said "Great stuff! Let's take a look at it in Sentinel!" but many of the expressions need to be tweaked.

Vaman-Kini · ‎Jan 28 2021

@Tali Ash The availability of non interactive sign-in events proved to be a great aid to triage Azure Identity protection events.

It seems that the export config of AAD Sign in logs for streaming events to hub /SIEM defaults as "interactive" only. The detailed schema is cool !

Tali Ash · ‎Jan 30 2021

@AnalystGuy for MDE data it is the same schema, please use Microsoft 365 Defender connector.

Eventually the schema will be the same and all data will be streamed through this connector.

Gil Blumberg · ‎Jun 11 2021

@Tali Ash How can we access to these 2 new tables? Not currently available for our tenant

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Hunt for Azure Active Directory sign-in events