AAD SignIns Insights

[piaudonn]

I wonder if there would be an interest for such a module. It's essentially a similar concept of what we have for analysts in the entity page available for automation and a bit of what we have in UEBA.

Takes a user and return stats such as:

• Last successful logon data (timestamp + other metadata)
• Last failed logon data
• Usual user-agent-string data
• Usual contries/IPs

If there is a cloud-logon-session present in the entities (case of an AAD Protection alert), return all the info about this particular login.

That last one maybe could be added to the AAD Risk Module instead.

[briandelmsft]

I like the idea, would this be a new module or perhaps an extension to the capabilities of the AAD Risks? It may make it too complex though if we add it... not sure off hand.

One issue, the cloud-logon-session is not passed from the incident trigger so you have to go back into SecurityAlerts to get it.... this is one of the reasons for #205 so you can use the KQL module to lookup the incident easily and work from there

[piaudonn]

Maybe also return a table of last successfull access per app?

[briandelmsft]

possibilities to include:

• Conditional access failures (and the policies that failed)
• Named locations the user has been seen from
• Device join status of the signins
• password resets or other interesting admin actions on account

[piaudonn]

• insights about signin hours

(although we would need to define what baseline could be used to determine out of character behaviors)

[piaudonn]

What about enriching other type of objects than users.

Computer: list history of compliance, on-boarding status, number of failed requests coming from this devices, list of users using it to request tokens etc... Maybe a top 10 with a link to a query to see the rest.
Application: creation time of the app, permissions and consent data, info from app governance, nb of Identity protection events with that app
IP: number of distinct users using it, stats for success vs failures, nb of Identity protection events with that IP address.