KQL Search

Query Details

HomeAI ToolsDevice Query

Visualization Authentication Methods Used

Query

# Visualization authentication Methods Used

## Query Information

#### Description
This visualisation shows the authentication methods that have been used based on the selected TimeFrame.

#### References
- https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods

## Sentinel
```KQL
let TimeFrame = 30d;
SigninLogs
| where TimeGenerated > ago(TimeFrame)
| where ResultType == 0
| summarize Total = count() by AuthenticationProtocol, bin(TimeGenerated, 1d)
```

Explanation

This query is designed to create a visualization that displays the different authentication methods used over a specified period, which is set to the last 30 days by default. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the SigninLogs table, which contains records of sign-in activities.

  2. Time Filter: It filters the records to include only those generated within the last 30 days (TimeFrame = 30d).

  3. Successful Sign-ins: It further filters the data to include only successful sign-in attempts, indicated by ResultType == 0.

  4. Aggregation: It counts the total number of successful sign-ins for each authentication method (AuthenticationProtocol) on a daily basis (bin(TimeGenerated, 1d)).

  5. Output: The result is a summary table showing the total number of successful sign-ins for each authentication method, grouped by day.

This visualization helps in understanding which authentication methods are being used most frequently over the selected time period.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 23, 2025

Tables

SigninLogs

Keywords

SigninLogsAuthenticationProtocolTimeGeneratedResultTypeTotal

Operators

let|where>ago==summarize=count()bybin()

Actions