Query Details
List Entra ID Sign Ins
Query
# Function: List EntraID SignIn activities account ## Query Information #### Description This function can be used to list both the *SigninLogs* and *AADNonInteractiveUserSignInLogs* based on the account that has been given as intput (*UserAccount*). #### References - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs ## Sentinel ``` let UserAccount = "[email protected]"; let aadFunc = (tableName: string, email: string) { table(tableName) | where ResultType == 0 | where UserPrincipalName == email }; let aadSignin = aadFunc("SigninLogs", UserAccount); let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs", UserAccount); union isfuzzy=true aadSignin, aadNonInt // In case of all details remove line below | project TimeGenerated, Category, Location, AppDisplayName, ClientAppUsed, RiskState ```
Explanation
The query is used to list the signin activities for a specific user account. It retrieves both the SigninLogs and AADNonInteractiveUserSignInLogs based on the provided user account. The query returns the TimeGenerated, Category, Location, AppDisplayName, ClientAppUsed, and RiskState for each signin activity.
Details
Bert-Jan Pals
Released: October 3, 2023
Tables
SigninLogsAADNonInteractiveUserSignInLogs
Keywords
UserAccount,aadFunc,tableName,email,ResultType,UserPrincipalName,aadSignin,aadNonInt,TimeGenerated,Category,Location,AppDisplayName,ClientAppUsed,RiskState
Operators
tablewhereunionisfuzzyproject