Query Details

Visualization Authentication Methods Used

Query

let TimeFrame = 30d;
SigninLogs
| where TimeGenerated > ago(TimeFrame)
| where ResultType == 0
| summarize Total = count() by AuthenticationProtocol, bin(TimeGenerated, 1d)

About this query

Visualization authentication Methods Used

Query Information

Description

This visualisation shows the authentication methods that have been used based on the selected TimeFrame.

References

Sentinel

Explanation

This query is designed to create a visualization that displays the different authentication methods used over a specified period, which is set to the last 30 days by default. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the SigninLogs table, which contains records of sign-in activities.

  2. Time Filter: It filters the records to include only those generated within the last 30 days (TimeFrame = 30d).

  3. Successful Sign-ins: It further filters the data to include only successful sign-in attempts, indicated by ResultType == 0.

  4. Aggregation: It counts the total number of successful sign-ins for each authentication method (AuthenticationProtocol) on a daily basis (bin(TimeGenerated, 1d)).

  5. Output: The result is a summary table showing the total number of successful sign-ins for each authentication method, grouped by day.

This visualization helps in understanding which authentication methods are being used most frequently over the selected time period.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 23, 2025

Tables

SigninLogs

Keywords

SigninLogsAuthenticationProtocolTimeGeneratedResultTypeTotal

Operators

let|where>ago==summarize=count()bybin()

Actions

GitHub