Query Details
AAD User Risk Events Leaked Credentials
Query
let query_frequency = 5m;
let query_period = 2d;
AADUserRiskEvents
| where TimeGenerated > ago(query_period)
| where OperationName == "User Risk Detection" and Source == "IdentityProtection" and RiskEventType == "leakedCredentials"
| summarize minTimeGenerated = min(TimeGenerated), arg_max(TimeGenerated, *) by Id
| where minTimeGenerated > ago(query_frequency)
| project
TimeGenerated,
OperationName,
Source,
Activity,
UserDisplayName,
UserPrincipalName,
UserId,
RiskEventType,
RiskState,
RiskDetail,
RiskLevel,
DetectionTimingType
Explanation
This query retrieves user risk events related to leaked credentials from Azure Active Directory Identity Protection. It filters the events based on a specified time period and frequency. The query then summarizes the events by the earliest time generated and the maximum value for all other columns, grouped by the user ID. It further filters the results based on the minimum time generated being within the specified frequency. Finally, it projects specific columns for the output, including the time generated, operation name, source, activity, user display name, user principal name, user ID, risk event type, risk state, risk detail, risk level, and detection timing type.
Details
Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators