Query Details
Identity Visualize Risk Eventsover Time
Query
//Visualize the different risk types (e.g password spray, unlikely travel) per month //Data connector required for this query - Azure Active Directory - AAD User Risk Events AADUserRiskEvents | where TimeGenerated > ago (180d) | where isnotempty(RiskEventType) | summarize Count=count()by RiskEventType, startofmonth(TimeGenerated) | render columnchart with (kind=unstacked, title="Risk event types per month", xtitle="Month")
Explanation
This query visualizes the different types of risks (such as password spray and unlikely travel) per month. It uses the Azure Active Directory (AAD) User Risk Events data connector. The query filters the events within the last 180 days, removes any empty risk event types, and then summarizes the count of each risk event type by the start of each month. Finally, it renders the results as a column chart with the title "Risk event types per month" and the x-axis labeled as "Month".
Details
Matt Zorich
Released: June 17, 2022
Tables
AADUserRiskEvents
Keywords
AADUserRiskEvents,TimeGenerated,RiskEventType,Count,startofmonth
Operators
whereisnotemptysummarizecountbystartofmonthrender