kql_queries
KQL queries for Incident Response
KQL query to detect cross-synchronization attacks
AuditLogs | where OperationName == "Add a partner to cross-tenant access setting" | where parse_json(tostring(TargetResources[0].modifiedProperties))[0].displayName == "tenantId" | extend initiating_user=parse_json(tostring(InitiatedBy.user)).userPrincipalName | extend source_ip=parse_json(tostring(InitiatedBy.user)).ipAddress | extend target_tenant=parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue | project TimeGenerated, OperationName,initiating_user,source_ip, AADTenantId,target_tenant | project-rename source_tenant= AADTenantId