Forum Discussion
Hunting for MFA manipulations in Entra ID tenants using KQL
The following article, Hunting for MFA manipulations in Entra ID tenants using KQL proved to be an invaluable resource in my search for an automated way to notify users of MFA modifications. I've...
To get around the 'recordId' problem I have just done a join on some table on username and 'take 1' just to hook in some record with a recordId value. This allows you to proceed. The system needs a recordId to populate things in the alert view, so it can affect how the alert is displayed. In at least one case I had to join to a recordid that didn't have much to do with the alert, so our playbook has to specify 'do not look at that part of the alert' and run a specific query instead.