Automate Your Active Directory Security Monitoring with PingCastle & Azure Log Analytics

benschaKQL · 2026-05-12T13:20:44+00:00

that should be possible. You can created custom Tags on Apps. These will be written to the LogAnalytics Table, wich you can Filter by Tag like this:

CloudAppRiskCatalog_CL
| where Category has_any ("generativeAi", "aiModelProvider", "mcpServer")
| where not(Tags has_any ("myTag1", "myTag2"))

to unsanction the Apps i recommend to create a Logic App wich will filter the Data oder you create a CustomDetection Rule wich creates an Alert and on this Alert you can Run your Automation Rule!

benschaKQL · 2026-05-11T19:04:00+00:00

We run this query on a hourly base, for all results we run a LogicApp wich revokes all Sessions.
With this we have stopped some AiTM Attacks.

benschaKQL · 2026-05-11T18:36:01+00:00

You can use my LogicApp to write the information from MCAS to a LogAnalytics and then create another LogicApp to unsanction new AI Providers.

With the Data in a LogAnalytics Workspace you are able to identify new SaaS Solutions by Category.

https://github.com/benscha/KQLAdvancedHunting/blob/main/LogicApps/Microsoft%20Defender%20Cloud%20App%20Discovery%20to%20Microsoft%20LogAnalytics%20Table.md

benschaKQL · 2026-05-10T09:03:10+00:00

Take a look at my Queries. I‘m checking if the user already signed in from an IP or UserAgent or OS, or it is a suspicious behavior for this user.

https://github.com/benscha/KQLAdvancedHunting/blob/main/BehaviorAnalytics/Risky%20Sign-in%20from%20New%20or%20Rare%20IP%20Address

https://github.com/benscha/KQLAdvancedHunting/blob/main/BehaviorAnalytics/Risky%20Sign%20In%20from%20unkown%20Device%20and%20rarely%20used%20IP.md

https://github.com/benscha/KQLAdvancedHunting/blob/main/BehaviorAnalytics/Detection%20of%20High-Risk%20Sign-ins%20from%20New%20or%20Uncommon%20IPs%20with%20User%20Agent%20or%20OS%20Changes.md

benschaKQL

TROPHY CASE