KQL Search

This query is designed to filter and display information about interactive logins to a website. Here's a simple breakdown:

1. SigninLogs: Start with the log data that contains sign-in information.
2. | where IsInteractive == 1: Filter the logs to include only interactive logins (those where a user actively logs in, as opposed to automated or background logins).
3. | extend City = LocationDetails.city: Add a new column named "City" that contains the city information from the location details.
4. | extend State = LocationDetails.state: Add a new column named "State" that contains the state information from the location details.
5. | extend Lat = parse_json(tostring(LocationDetails.geoCoordinates)).latitude: Add a new column named "Lat" that contains the latitude from the geo-coordinates.
6. | extend Long = parse_json(tostring(LocationDetails.geoCoordinates)).longitude: Add a new column named "Long" that contains the longitude from the geo-coordinates.
7. | project UserPrincipalName, UserType, AppDisplayName, ResourceDisplayName, City, State, Location, Lat, Long: Select and display only the specified columns: UserPrincipalName, UserType, AppDisplayName, ResourceDisplayName, City, State, Location, Lat, and Long.

In summary, this query filters for interactive logins and extracts specific location details (city, state, latitude, and longitude) along with user and application information, then displays these selected columns.