-
Notifications
You must be signed in to change notification settings - Fork 0
/
sus-login-after-pw-change.kql
34 lines (34 loc) · 1.42 KB
/
sus-login-after-pw-change.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
// Goal of this script is to search for suspicious logins based on password change events
// followed by a login from an unexpected location shortly after.
let PasswordChangeEvents = () {
let PwordChange = AuditLogs
| where OperationName has "password" and OperationName != "Self-service password reset flow activity progress"
| where Result == "success"
| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend PasswordChangeTime = TimeGenerated;
PwordChange
};
let SuccessfulLoginEvents = () {
let SucLogin = SigninLogs
| where ResultType == 0
| where IsInteractive == true
| extend Country = tostring(LocationDetails.countryOrRegion)
| where Country != "AU" and Country != ""
| extend LoginTime = TimeGenerated;
SucLogin
};
PasswordChangeEvents
| join kind=inner (
SuccessfulLoginEvents
) on UserPrincipalName
| project UserPrincipalName, PasswordChangeTime, LoginTime, IPAddress, Country
| where LoginTime between (PasswordChangeTime..datetime_add('hour',24,PasswordChangeTime))
| join kind=leftanti (
PasswordChangeEvents
| join kind=inner (
SuccessfulLoginEvents
) on UserPrincipalName
| project UserPrincipalName, PasswordChangeTime, LoginTime, IPAddress
| where LoginTime between (datetime_add('day',-7,PasswordChangeTime)..PasswordChangeTime)
) on IPAddress
| where PasswordChangeTime > ago(28d)