Forum Discussion
Monitor App activity with Sentinel
Anyone could share info if there is a way to monitor activity for Enterprise Apps using Sentinel? Basically to understand if Enterprise App has been used lately.
cmaneiro
Microsoft
MicrosoftHi marka01
Not sure if this is what you are looking:
This is just a simple query to get errors and success logging activity per Application, probably you need to narrow down your specific application.
KQL:
let Long = ago(30d);
SigninLogs
| where TimeGenerated > Long
| project AppDisplayName, ResultType
| extend Successful=iff(ResultType == "0" , 1 , 0)
| extend Falied=iff(ResultType != "0" , 1 , 0)
| extend Counter=1
| summarize SuccessCount=sum(Successful), FailedCount=sum(Falied) by AppDisplayName
Hope it helps