Query Details
Azure AD Identity Protection Glitch
Query
SigninLogs | where (RiskEventTypes != "[]" or RiskEventTypes_V2 != "[]") and AuthenticationDetails has "Password" | extend AuthenticationDetails = todynamic(AuthenticationDetails), TimeIngested = ingestion_time() | mv-expand AuthenticationDetails | where AuthenticationDetails["authenticationMethod"] == "Password" and AuthenticationDetails["succeeded"] == "false" | sort by TimeIngested | project-reorder TimeIngested, TimeGenerated, RiskEventTypes, RiskState, AuthenticationDetails
Explanation
This query is looking at signin logs and filtering for events where there is a risk event type or a risk event type version, and the authentication details include the word "Password". It then converts the authentication details to a dynamic type and adds a new column for the time the data was ingested. The query then expands the authentication details into separate rows, filters for events where the authentication method is "Password" and it did not succeed, sorts the results by the time the data was ingested, and finally projects only the specified columns in a specific order.
Details
Jose Sebastián Canós
Released: May 4, 2023
Tables
SigninLogs
Keywords
SigninLogs,RiskEventTypes,RiskEventTypes_V2,AuthenticationDetails,Password,TimeIngested,authenticationMethod,succeeded,TimeGenerated,RiskState
Operators
whereorandhasextendtodynamicingestion_timemv-expand==sort byproject-reorder