Query Details
Anomalous AAD Account Creation
Query
//Alert - Anomalous AAD Account Creation SecurityAlert | where SystemAlertId == "bf45d5cd-2cfc-dff1-8b7d-5440b5089529" | summarize arg_max(TimeGenerated, *) by SystemAlertId
Explanation
This query is looking for a specific security alert related to anomalous Azure Active Directory (AAD) account creation. It filters the results based on the SystemAlertId and then summarizes the data by selecting the latest occurrence of the alert using the arg_max function.
Details
Rod Trent
Released: July 11, 2022
Tables
SecurityAlert
Keywords
Alert,Anomalous,AAD,Account,Creation,SecurityAlert,SystemAlertId,TimeGenerated
Operators
wheresummarizearg_maxby