Query Details
Signin Logs Now
Query
// SigninLogs | where TimeGenerated >= ago(24h) | where ResultType == 0 and UserPrincipalName !contains "yourdomainname" | project UserPrincipalName, AppDisplayName, IPAddress | summarize count() by UserPrincipalName, AppDisplayName, IPAddress | where count_ < 2
Explanation
This query retrieves sign-in logs from the past 24 hours and filters out any logs with a successful result and user principal names containing "yourdomainname". It then selects the user principal name, app display name, and IP address from the remaining logs. The query then groups the logs by user principal name, app display name, and IP address and counts the number of logs for each group. Finally, it filters out any groups with a count less than 2.
Details
Rod Trent
Released: May 24, 2021
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,ResultType,UserPrincipalName,AppDisplayName,IPAddress,count_
Operators
| where>=ago==and!containsprojectsummarizecount()by<