Reduce Noise from AAD Non Interactive SignIns
2 min read

Reduce Noise from AAD Non Interactive SignIns

Samik Roy Samik Roy

Samik Roy

Microsoft Most Valuable…5K followers

Published Jul 18, 2022
+ Follow

Introduction

As a part Azure Active Directory Data Connector in Sentinel, AADNonInterectiveSigniInLogs is one of the data sources.

As this table logs data where mostly no user intervention is needed so any error is also kept as a known secret. And in that process the

  1. The volume of failed logs is increased
  2. The error gets unnoticed and leads towards an unhealthy environment

Design

To avoid this, we can approach this problem in parallel 2 branches

No alt text provided for this image

  1. Identify Top Application where Login failures are taking place.
  2. Identify Top Users for whom failed logs are getting generated.

Each can be verified with a query / KQL Function

  1. Top10NonInteractiveSigninFailedApps
  2. Top10NonInteractiveSigninFailedUsers

Query/ KQL Function

Below has the queries which can be applied / used through this approach.

Top10NonInteractiveSigninFailedApps 

AADNonInteractiveUserSignInLog
| extend ErrorCode = tostring(parse_json(Status).errorCode)
| summarize TotalLogins = count(),
SuccessfulLogins = countif(ErrorCode == 0),
FailedLogins = countif(ErrorCode != 0),
Users = make_set(UserPrincipalName)
by AppDisplayName, ClientAppUsed
| where FailedLogins > 0
| project UserCount = array_length(Users),AppDisplayName, ClientAppUsed
| take 10
| render columnchart

Top10NonInteractiveSigninFailedUsers 


AADNonInteractiveUserSignInLog
| extend ErrorCode = tostring(parse_json(Status).errorCode)
| summarize TotalLogins = count(),
SuccessfulLogins = countif(ErrorCode == 0),
FailedLogins = countif(ErrorCode != 0),
Apps = make_set(AppDisplayName),
ClientApps = make_set(ClientAppUsed)
by UserPrincipalName
| where FailedLogins > 0
| order by FailedLogins desc
| project-away TotalLogins
| take 10
| render columnchart

Recommended by LinkedIn

5 Dataverse security roles
5 Dataverse security roles
Larry Saytee 1 year ago
The Copilot Data Readiness Guide: How to Stop Weaponizing Your Own Data
The Copilot Data Readiness Guide: How to Stop…
Collab365 2 months ago
Unlocking Granular Security in Dynamics 365: Auditing Principal Object Access (POA) with Power BI
Unlocking Granular Security in Dynamics 365: Auditing…
Saket Kadam 9 months ago

Source Code

You can leverage the below source code to save this as a function in the workspace.

No alt text provided for this image


Please use the below button to deploy to your Sentinel Workspace and follow the deployment steps below

No alt text provided for this image



Deployment

Step 1: Fill the deployment form.

No alt text provided for this image

Step 2: Confirm the deployment in the workspace

No alt text provided for this image

Conclusion

Once the deployment is complete, the function can be referred in Hunting Queries, Analytic Rules, Workbooks for various use cases.

Now you will have access to top 10 Apps & Users with failed Signins a function call away in your workspace once you deploy the solution.

Feel free to extend with your thoughts !!!

To view or add a comment, sign in

More articles by Samik Roy

See all articles

Others also viewed

Explore content categories