Query Details
Identity Visualize Signinsby Device Trust
Query
//Visualize sign in attempts to your Azure AD tenant by device trust type
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago(30d)
| extend DeviceTrustType = tostring(DeviceDetail.trustType)
| extend ['Trust Type']=case(isnotempty(DeviceTrustType), strcat=DeviceTrustType,
isempty(DeviceTrustType), strcat="Untrusted",
"unknown")
| summarize Count=count()by ['Trust Type'], bin(TimeGenerated, 1d)
| render timechart with (title="Signins to Azure AD by trust type")Explanation
This query visualizes the sign-in attempts to your Azure AD tenant based on the trust type of the device used. It uses the Azure Active Directory - Signin Logs data connector. The query filters the sign-in logs for the past 30 days and extends the DeviceTrustType field to convert it to a string. It then categorizes the trust type as "Untrusted" if it is empty, "Unknown" if it is not empty, and counts the number of sign-ins for each trust type on a daily basis. Finally, it renders a time chart with the title "Signins to Azure AD by trust type".
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,DeviceDetail,DeviceTrustType,TrustType,Count
Operators
whereagoextendtostringcaseisnotemptyisemptystrcatsummarizecountbybinrender