Query Details
AR Break Glass Account
Query
//Monitor break-glass account usage SigninLogs | where OperationName == "Sign-in activity" and UserPrincipalName == "[email protected]" | extend AccountCustomEntity = UserPrincipalName | extend IPCustomEntity = IPAddress
Explanation
This query is checking the sign-in activity for a specific emergency account by monitoring the user's email address and IP address.
Details
Rod Trent
Released: March 8, 2024
Tables
SigninLogs
Keywords
SigninLogsUserPrincipalNameOperationNameAccountCustomEntityIPCustomEntity.
Operators
whereandextend