Query Details
Identity Find New Enterprise Apps
Query
//Find new applications your users are signing into in the last month vs the previous 6 months. For each find the first time the app was used, how many total signins and distinct users accessing each one
//Data connector required for this query - Azure Active Directory - Signin Logs
let knownapps=
SigninLogs
| where TimeGenerated > ago(180d) and TimeGenerated < ago (30d)
| distinct AppId;
SigninLogs
| where TimeGenerated > ago(30d)
| where AppId !in (knownapps)
| where isnotempty(AppDisplayName)
| summarize
['First Time Seen']=min(TimeGenerated),
Count=count(),
['User Count']=dcount(UserPrincipalName)
by AppDisplayName
| sort by Count desc Explanation
This query is looking for new applications that users have signed into in the last month compared to the previous 6 months. It finds the first time each app was used, the total number of sign-ins, and the number of distinct users accessing each app. The data is obtained from the Azure Active Directory - Signin Logs data connector. The query filters the sign-in logs based on the time generated and the app ID to identify new apps. It also ensures that the app display name is not empty. The results are summarized and sorted by the count of sign-ins in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
Applications,Users,SigninLogs,TimeGenerated,AppId,knownapps,AppDisplayName,UserPrincipalName,FirstTimeSeen,Count,UserCount
Operators
whereagodistinctinisnotemptysummarizemincountdcountbysort