AR Break Glass Account
Query
//Monitor break-glass account usage
SigninLogs
| where OperationName == "Sign-in activity" and UserPrincipalName == "[email protected]"
| extend AccountCustomEntity = UserPrincipalName
| extend IPCustomEntity = IPAddressExplanation
This query is checking the sign-in activity for a specific emergency account by monitoring the user's email address and IP address.
Details

Rod Trent
Released: March 8, 2024
Tables
SigninLogs
Keywords
SigninLogsUserPrincipalNameOperationNameAccountCustomEntityIPCustomEntity.
Operators
whereandextend