EXPLORE
Sign In
← Back to Explore
kqlHunting

Successful join of fake device using ROPC (query by @goldjg)

Query written by Graham Gold https://www.linkedin.com/in/graham-gold/ - Github: @goldjg

Detection Query

//Query written by Graham Gold https://www.linkedin.com/in/graham-gold/ - Github: @goldjg
let SigninEvents = SigninLogs
| where TimeGenerated >= ago(90d)
| where ResourceDisplayName has "Device Registration Service"
| where AuthenticationProtocol has "ropc"
| where ResultType == "0"
| project SigninTime = CreatedDateTime,SigninUserPrincipalName = UserPrincipalName,SigninCorrelationId = CorrelationId,
SigninUserAgent = UserAgent,
StartTime = CreatedDateTime - 60s,
EndTime = CreatedDateTime + 60s,
dummy = 1;
SigninEvents
| join kind=inner (
AuditLogs
| where OperationName has "Add device"
| where Result has "success"
| project AuditTime = ActivityDateTime,FakeDeviceId = tostring(parse_json(tostring(TargetResources[0].id))),FakeDeviceDisplayName = tostring(TargetResources [0].displayName),
AuditCorrelationId = CorrelationId,
dummy = 1
) on dummy
| where AuditTime between (StartTime .. EndTime)
| project SigninTime, AuditTime, SigninUserPrincipalName, SigninCorrelationId, SigninUserAgent, FakeDeviceId, FakeDeviceDisplayName, AuditCorrelationId

Data Sources

SigninLogsAuditLogs

Platforms

azure-ad

Tags

entra
Raw Content
//Query written by Graham Gold https://www.linkedin.com/in/graham-gold/ - Github: @goldjg
let SigninEvents = SigninLogs
| where TimeGenerated >= ago(90d)
| where ResourceDisplayName has "Device Registration Service"
| where AuthenticationProtocol has "ropc"
| where ResultType == "0"
| project SigninTime = CreatedDateTime,SigninUserPrincipalName = UserPrincipalName,SigninCorrelationId = CorrelationId,
SigninUserAgent = UserAgent,
StartTime = CreatedDateTime - 60s,
EndTime = CreatedDateTime + 60s,
dummy = 1;
SigninEvents
| join kind=inner (
AuditLogs
| where OperationName has "Add device"
| where Result has "success"
| project AuditTime = ActivityDateTime,FakeDeviceId = tostring(parse_json(tostring(TargetResources[0].id))),FakeDeviceDisplayName = tostring(TargetResources [0].displayName),
AuditCorrelationId = CorrelationId,
dummy = 1
) on dummy
| where AuditTime between (StartTime .. EndTime)
| project SigninTime, AuditTime, SigninUserPrincipalName, SigninCorrelationId, SigninUserAgent, FakeDeviceId, FakeDeviceDisplayName, AuditCorrelationId