Query Details
AR Break Glass Account
Query
//Monitor break-glass account usage SigninLogs | where OperationName == "Sign-in activity" and UserPrincipalName == "[email protected]" | extend AccountCustomEntity = UserPrincipalName | extend IPCustomEntity = IPAddress
Explanation
This query is used to monitor the usage of a specific emergency account. It looks for sign-in activity logs where the operation name is "Sign-in activity" and the user principal name is the specified emergency account. It also adds custom entities for the account and IP address.
Details
Rod Trent
Released: December 11, 2020
Tables
SigninLogs
Keywords
SigninLogs,OperationName,UserPrincipalName,AccountCustomEntity,IPCustomEntity,IPAddress
Operators
whereand==extend