Query Details
Successful Foreign Login Attempts Analysis
Query
// Successful login attempts from abroad NL. You can change line 16 for your country. SigninLogs | where TimeGenerated >= ago(7d) | mv-expand LocationDetails | extend stad = tostring(LocationDetails.city) | extend land = tostring(LocationDetails.countryOrRegion) | extend authMethod = tostring(parse_json(MfaDetail).authMethod) | extend authDetail = tostring(parse_json(MfaDetail).authDetail) | where isnotempty(land) and ResultType == 0 | project TimeGenerated = format_datetime(TimeGenerated, 'dd/MM/yyyy'), Identity, land, authMethod, authDetail | where land !contains "NL" | distinct TimeGenerated, Identity, land | order by TimeGenerated asc
Explanation
This query looks for successful login attempts from countries other than the Netherlands in the past 7 days. It includes details such as the city, country, authentication method, and authentication details of the login attempts. The results are then filtered to show only unique combinations of time, user identity, and country, and are sorted in ascending order by time.
Details
Muzammil Mahmood
Released: June 7, 2024
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,LocationDetails,stad,land,authMethod,authDetail,ResultType,Identity,MfaDetail,NL
Operators
wheremv-expandextendtostringparse_jsonisnotemptyprojectformat_datetimecontainsdistinctorder by