Query Details
Identity Protection Latency Issues
Query
AADUserRiskEvents
| where TimeGenerated > ago(90d)
| where RiskEventType == "unfamiliarFeatures" and RiskState == "atRisk"
| summarize arg_min(TimeGenerated, *) by Id
| project AADUserRiskEvents_TimeGenerated = TimeGenerated, RequestId, RiskState
| join kind=leftouter hint.shufflekey=RequestId (
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(90d)
| where RiskEventTypes has "unfamiliarFeatures" or RiskEventTypes_V2 has "unfamiliarFeatures" and RiskState == "atRisk"
| summarize arg_min(TimeGenerated, *) by OriginalRequestId
| project
RequestId = OriginalRequestId,
SignInLogs_TimeGenerated = TimeGenerated,
RiskState
) on RequestId, RiskState
| distinct *
| extend TimeDifference = case(
isnotempty(AADUserRiskEvents_TimeGenerated) and isnotempty(SignInLogs_TimeGenerated), tostring(bin(abs(AADUserRiskEvents_TimeGenerated - SignInLogs_TimeGenerated), 5m)/1m),
"60.0"
)
| summarize count() by bin(AADUserRiskEvents_TimeGenerated, 7d), TimeDifference
| render columnchart kind=stacked
Explanation
This query looks at risky events for users in the past 90 days. It focuses on events related to unfamiliar features and users at risk. It then combines data from different logs to analyze the time difference between these events. Finally, it visualizes the data in a stacked column chart.
Details
Jose Sebastián Canós
Released: March 19, 2024
Tables
AADUserRiskEventsSigninLogsAADNonInteractiveUserSignInLogs
Keywords
AADUserRiskEvents,TimeGenerated,RiskEventType,RiskState,Id,RequestId,AADUserRiskEvents_TimeGenerated,SignInLogs,AADNonInteractiveUserSignInLogs,RiskEventTypes,RiskEventTypes_V2,OriginalRequestId,SignInLogs_TimeGenerated,TimeDifference.
Operators
whereandsummarizearg_minprojectjoinunionhasorextendcaseisnotemptytostringbinabscountrender