Query Details
Identity Visualize Knownvs Unknown Location
Query
//Visualize sign in attempts to your Azure AD tenant by known or unknown network locations
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago(30d)
//If a location it will be populated by its name, i.e 'Corporate Internet', if known the NetworkLocationDetails array is empty so we can find it by searching on '[]'
| summarize
['Known Location']=countif(NetworkLocationDetails != '[]'),
['Unknown Location']=countif(NetworkLocationDetails == '[]')
by bin (TimeGenerated, 1d)
| render timechart with (title="Known vs Unknown signins to Azure AD", ytitle="Count")Explanation
This query visualizes the sign-in attempts to your Azure AD tenant based on whether they are from known or unknown network locations. It uses the Azure Active Directory - Signin Logs data connector. The query filters the sign-in logs for the past 30 days and then summarizes the count of sign-ins from known and unknown locations on a daily basis. The results are then rendered as a time chart showing the comparison between known and unknown sign-ins.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,NetworkLocationDetails
Operators
whereago|summarizecountifbybinrender