AR Break Glass Account
Query
//Monitor break-glass account usage
SigninLogs
| where OperationName == "Sign-in activity" and UserPrincipalName == "[email protected]"
| extend AccountCustomEntity = UserPrincipalName
| extend IPCustomEntity = IPAddressExplanation
This query is used to monitor the usage of a specific emergency account. It looks for sign-in activity logs where the operation name is "Sign-in activity" and the user principal name is the specified emergency account. It also adds custom entities for the account and IP address.
Details

Rod Trent
Released: December 11, 2020
Tables
SigninLogs
Keywords
SigninLogsOperationNameUserPrincipalNameAccountCustomEntityIPCustomEntityIPAddress
Operators
whereand==extend