KQL Search

Query Details

UEBA Is Dormant

Query

//This KQL query uses the UEBA data enrichment values to show Dormant user accounts.
//See the following for the explanation: https://azurecloudai.blog/2021/06/07/how-to-use-the-ueba-enrichments-in-azure-sentinel/

BehaviorAnalytics
| where UsersInsights.IsDormantAccount == true
| project TimeGenerated, UserName, ActionType

Explanation

This query uses the UEBA data enrichment values to identify dormant user accounts. It filters the results to only show accounts that are marked as dormant. The query then projects the time the event was generated, the username of the account, and the action type associated with the account. For more information, you can refer to the provided link.

Details

Rod Trent

Released: June 7, 2021

Tables

BehaviorAnalytics

Keywords

BehaviorAnalytics,UsersInsights,IsDormantAccount,TimeGenerated,UserName,ActionType

Operators

where==trueproject

KQL Search

UEBA Is Dormant

Query

Explanation

Details

Actions