Query Details
Identity Calculate Risky Apps
Query
//Calculate the percentage of signins to all your Azure AD apps considered risky. Those requiring single factor authentication, coming from an unknown location and from an unknown device
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago (30d)
| where ResultType == 0
| extend DeviceTrustType = tostring(DeviceDetail.trustType)
| summarize
['Total Signins']=count(),
['At Risk Signins']=countif(NetworkLocationDetails == '[]' and isempty(DeviceTrustType) and AuthenticationRequirement == "singleFactorAuthentication")
by AppDisplayName
| extend ['At Risk Percentage']=(todouble(['At Risk Signins']) * 100 / todouble(['Total Signins']))Explanation
This query calculates the percentage of sign-ins to all Azure AD apps that are considered risky. These risky sign-ins are those that require single-factor authentication, come from an unknown location, and are from an unknown device. The query uses the Azure Active Directory - Signin Logs data connector and filters the sign-in logs for the past 30 days. It then counts the total sign-ins and the at-risk sign-ins for each app, and calculates the at-risk percentage.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,ResultType,DeviceDetail,trustType,NetworkLocationDetails,AuthenticationRequirement,AppDisplayName,TotalSignins,AtRiskSignins,AtRiskPercentage
Operators
whereago==extendtostringsummarizecount()countif()isempty()andbyAppDisplayNametodouble()/*=