KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Detect Multiple Distinct Risk Events

Query

//Detect when a user flags 3 or more distinct Azure AD risk events within a single day

//Data connector required for this query - Azure Active Directory - AAD User Risk Events

AADUserRiskEvents
| where TimeGenerated > ago(7d)
| where RiskState != "dismissed"
| summarize
    ['Distinct count of risk events']=dcount(RiskEventType),
    ['List of risk events']=make_set(RiskEventType)
    by UserPrincipalName, bin(TimeGenerated, 1d)
| where ['Distinct count of risk events'] >= 3

Explanation

This query is used to detect when a user flags 3 or more different Azure AD risk events in a single day. It filters the data from the Azure Active Directory User Risk Events connector to only include events that occurred within the last 7 days and are not dismissed. It then summarizes the data by counting the distinct types of risk events and creating a list of those events for each user and day. Finally, it filters the results to only include users who have 3 or more distinct risk events in a single day.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AADUserRiskEvents

Keywords

UserPrincipalName,RiskEventType,TimeGenerated

Operators

where>ago!=summarizedcountmake_setbybin>=

Actions