Query Details
Anomalies Anomalous Azure AD Sign In Sessions
Query
Anomalies
| where RuleName endswith "Anomalous Azure AD sign-in sessions" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"]
| project
TimeGenerated,
RuleName,
Description,
Query,
UserPrincipalName,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinks
Explanation
This query retrieves anomalies related to Azure AD sign-in sessions that are not in the "Flighting" status. It includes information such as the time the anomaly was generated, the rule name, description, query details, user principal name, score, anomaly details, entities, tactics, techniques, and extended links.
Details
Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
Anomalies,RuleName,RuleStatus,Query,TimeGenerated,Description,UserPrincipalName,Score,AnomalyDetails,Entities,Tactics,Techniques,ExtendedLinks
Operators
whereendswith!=extend[0]["DetailBladeInputs"]projectTimeGeneratedRuleNameDescriptionQueryUserPrincipalNameScoreAnomalyDetailsEntitiesTacticsTechniquesExtendedLinks