Burglar McToken
Looks like the schema has changed somewhat. Let me dig into it.
Did you ever find what had changed? For me, I can't even find the sessionId information anywhere else than in cloudappevents
Looks like some of the parameters have changed since that was originally created.
I made a couple changes. Try it again.
Thanks. This is weird. The SessionId is nowhere to be found in Sentinel (and especially not in SigninLogs). Even in
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs
I was only able to make it work in Defender:
// Define the time range and the threshold for the number of sessions per user
let starttime = ago(7d);
let endtime = ago(3d);
let session_threshold = 1;
// Get the sign-in events from Azure Active Directory
let signin_events = AADSignInEventsBeta
| where Timestamp between (starttime .. endtime)
| where ErrorCode == 0 // successful sign-ins only
| project Timestamp, AccountObjectId, AccountUpn, IPAddress, SessionId;
// Get the cloud app events from Microsoft Cloud App Security
let cloudapp_events = CloudAppEvents
| extend SessionId = tostring(RawEventData.SessionId)
| project Timestamp, AccountId, AccountDisplayName, IPAddress, SessionId;
// Join the sign-in events and the cloud app events by user principal name and session id
let joined_events = signin_events
| join kind=inner cloudapp_events on $left.AccountObjectId == $right.AccountId , SessionId
| project Timestamp, AccountUpn, IPAddress, SessionId;
// Group the events by user principal name and session id, and count the number of distinct IP addresses per session
let session_stats = joined_events
| summarize IPCount = dcount(IPAddress) by AccountUpn, SessionId
| project AccountUpn, SessionId, IPCount;
// Find the sessions that have more than one IP address associated with them
let multi_ip_sessions = session_stats
| where IPCount > 1
| project AccountUpn, SessionId;
// Find the users that have more than the threshold number of sessions with multiple IP addresses
let suspicious_users = multi_ip_sessions
| summarize SessionCount = count() by AccountUpn
| where SessionCount > session_threshold
| project AccountUpn;
// Return the suspicious users and their sessions with multiple IP addresses
suspicious_users
| join kind=inner multi_ip_sessions on AccountUpn
| join kind=inner session_stats on AccountUpn, SessionId
| project AccountUpn, SessionId, IPCount
Looks like the schema has changed somewhat. Let me dig into it.
Did you ever find what had changed? For me, I can't even find the sessionId information anywhere else than in cloudappevents
Looks like some of the parameters have changed since that was originally created.
I made a couple changes. Try it again.
Thanks. This is weird. The SessionId is nowhere to be found in Sentinel (and especially not in SigninLogs). Even in
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs
I was only able to make it work in Defender:
// Define the time range and the threshold for the number of sessions per user
let starttime = ago(7d);
let endtime = ago(3d);
let session_threshold = 1;
// Get the sign-in events from Azure Active Directory
let signin_events = AADSignInEventsBeta
| where Timestamp between (starttime .. endtime)
| where ErrorCode == 0 // successful sign-ins only
| project Timestamp, AccountObjectId, AccountUpn, IPAddress, SessionId;
// Get the cloud app events from Microsoft Cloud App Security
let cloudapp_events = CloudAppEvents
| where Timestamp between (starttime .. endtime)
| extend SessionId = tostring(RawEventData.SessionId)
| project Timestamp, AccountId, AccountDisplayName, IPAddress, SessionId;
// Join the sign-in events and the cloud app events by user principal name and session id
let joined_events = signin_events
| join kind=inner cloudapp_events on $left.AccountObjectId == $right.AccountId , SessionId
| project Timestamp, AccountUpn, IPAddress, SessionId;
// Group the events by user principal name and session id, and count the number of distinct IP addresses per session
let session_stats = joined_events
| summarize IPCount = dcount(IPAddress) by AccountUpn, SessionId
| project AccountUpn, SessionId, IPCount;
// Find the sessions that have more than one IP address associated with them
let multi_ip_sessions = session_stats
| where IPCount > 1
| project AccountUpn, SessionId;
// Find the users that have more than the threshold number of sessions with multiple IP addresses
let suspicious_users = multi_ip_sessions
| summarize SessionCount = count() by AccountUpn
| where SessionCount > session_threshold
| project AccountUpn;
// Return the suspicious users and their sessions with multiple IP addresses
suspicious_users
| join kind=inner multi_ip_sessions on AccountUpn
| join kind=inner session_stats on AccountUpn, SessionId
| project AccountUpn, SessionId, IPCount