Query Details
Function Identity Infowith Signin Risk
Query
// Save as a function in your workspace then invoke via its name, i.e if you save as SigninRisk // SigninRisk | where TimeGenerated > ago(30d) | where UserPrincipalName == "[email protected]" // SigninRisk | where TimeGenerated > ago(30d) | where AssignedRoles contains "Global Administrator" // This will join the users identity information, sign in data and any risky signins for your query IdentityInfo | where TimeGenerated > ago (21d) | summarize arg_max(TimeGenerated,*) by AccountUPN | join kind=inner( SigninLogs) on $left.AccountUPN==$right.UserPrincipalName | project SigninTime=TimeGenerated1, UserPrincipalName, AppDisplayName, ResultType, AssignedRoles, Location, UserAgent, AuthenticationRequirement, Country, City, CorrelationId | join kind=inner ( AADUserRiskEvents) on CorrelationId | project SigninTime, UserPrincipalName, AppDisplayName, ResultType, DetectionTimingType, RiskState, RiskLevel, Location, AssignedRoles, UserAgent, AuthenticationRequirement, Country, City
Explanation
This query retrieves information about user sign-ins and any associated risks. It filters the data to include sign-ins within the last 30 days and for a specific user or users with a specific role. It then joins the user's identity information, sign-in data, and any risky sign-ins. The final result includes details such as the sign-in time, user's email, application name, sign-in result, risk level, location, assigned roles, user agent, authentication requirement, country, and city.
Details
Matt Zorich
Released: November 9, 2021
Tables
IdentityInfoSigninLogsAADUserRiskEvents
Keywords
IdentityInfo,SigninLogs,AADUserRiskEvents
Operators
whereago==contains|joinkind=inner$left$rightprojectsummarizearg_maxbyonandor