User ID's Monitoring

[PuneethRaya]

Hello Team,

In our workstations , we have set of applications access from the browser. We want to monitor if any one logged in the respective applications with one particular user ID. Is there any way to monitor and get an alerts by using custom scripts and any other way? Any solution will be really appreciable.

[A-dd-Y]

@PuneethRaya Hi Puneeth, ATP doesn't log web authentication logs however, if your web application redirect to url that contain "user ID" after successful login you can use below query to check user machine's AD login info.

DeviceNetworkEvents
| where RemoteUrl has "user id"
| summarize count() by InitiatingProcessAccountUpn
| sort by count_

[PuneethRaya]

Thank you very much!!
We need alerting mechanism whenever successful Login. Will this query helps to achieve this? if i create advanced hunting query.

[A-dd-Y]

@PuneethRaya Sure, Just save your hunting query as detection rule.

Add Timestamp and ReportId in your project, something like below..

DeviceNetworkEvents
| where RemoteUrl has "user id"
| project Timestamp, ReportId, InitiatingProcessAccountUpn

[PuneethRaya]

Wonderful!!one more last request... Is it possible get in output which web URL successful authentication happened ?

[PuneethRaya]

DeviceNetworkEvents
| where RemoteUrl has "user ID "
| project Timestamp, ReportId, InitiatingProcessAccountUpn, RemoteUrl

This helped me !!thank you !!

[PuneethRaya]

Is there any way to restrict post authentication user shouldn't perform any activity/block or at least sending an auto email to the that particular AD users?

[A-dd-Y]

@PuneethRaya hey, when you save your query as a detection rule, you can configure your email for alert notification.

after that you can forward that email to that particular user based on the email content.

[tali-ash]

@PuneethRaya FYI there are also two tables which monitor identities logons :
IdentityLogonEvents - logons against AD and AAD as monitored by MDI and MCAS
AADSignInEventsBeta - AAD sign ins as monitored by AAD