Use KQL to improve MFA implementation

Manu Sharma Manu Sharma

Manu Sharma

Site Head- ITBD Phillipines

发布日期: 2023年3月20日
+ 关注

Here is a way we can use KQL to improve MFA implementation in our organization:

It is critical for an organization to effectively use MFA techniques to avoid unauthorized access. One of the popular MFA techniques among users is text message. Microsoft recommends using passwordless authentication such as Microsoft Authernticator app, FIDO2 key.

No alt text provided for this image


We can use this KQL query in Microsoft Sentinel to find out the users who are using text message as the MFA technique and encourage them to use passwordless techniques.


SigninLogs

| where TimeGenerated > ago(60d)

| where UserType == "Member"

| mv-expand todynamic(AuthenticationDetails)

| extend ['Authentication Method'] = tostring(AuthenticationDetails.authenticationMethod)

| where ['Authentication Method'] !in ("Previously satisfied", "Password", "Other")

| where isnotempty(['Authentication Method'])

| summarize

??['Count of distinct MFA Methods']=dcount(['Authentication Method']),

??['List of MFA Methods']=make_set(['Authentication Method'])

??by UserPrincipalName

//Find users with only one method found and it is text message

| where ['Count of distinct MFA Methods'] == 1 and ['List of MFA Methods'] has "text"

要查看或添加评论,请登录

更多精彩文章

社区洞察

其他会员也浏览了