Query Details
Impossible Travel MCAS
Query
//MCAS connection required. Just shows all Impossible Travel alerts SecurityAlert | where ProductName == "Microsoft Cloud App Security" | summarize arg_max(TimeGenerated, *) by SystemAlertId | where DisplayName == "Impossible travel activity" | sort by TimeGenerated
Explanation
This query retrieves all Impossible Travel alerts from Microsoft Cloud App Security. It groups the alerts by their unique SystemAlertId and selects the most recent alert based on the TimeGenerated. It then filters the alerts to only include those with the DisplayName "Impossible travel activity" and sorts them by the TimeGenerated.
Details
Rod Trent
Released: November 5, 2021
Tables
SecurityAlert
Keywords
SecurityAlert,ProductName,MicrosoftCloudAppSecurity,TimeGenerated,SystemAlertId,DisplayName,Impossibletravelactivity
Operators
| where==| summarizearg_maxby* | where==| sort by