Forum Discussion

Ankit_Pandey's avatar
Ankit_Pandey
Copper Contributor
May 12, 2020

Query Activity From RiskyUsersBlade Under 'Risk History' Tab

In log analytics I need to query Activity field from Risk History in Risky Users blade. Goal is to generate alert every time when a users risk history shows as 'Leaked Credentials' under Activity tab in same blade. 

How do I draft this query ?

 

Thank You 

  • Jurgen790's avatar
    Jurgen790
    Copper Contributor

    Hi Ankit_Pandey,


    Within the table of "SigninLogs" populated by Azure Active Directory (AAD) Services risk related alerts are populated inside the column "riskEventTypes":

    The possible values for riskEventTypes are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue.

    In case there is a situation where a "risk alert" in "risk history" is not showing up, or events are coming in, but limited information is shown in the actual events. It might be caused by a licensing limitation.

    https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

    Under "license requirements" you can see P1 licenses provide limited information for notifications or reports on risk behavior.

    It is possible you have P1 License causing the limitation of logs coming in. If you upgrade to a P2 license it will probably populate inside Azure Sentinel.

    - Jurgen



    • Ankit_Pandey's avatar
      Ankit_Pandey
      Copper Contributor

      Thank you Rod_Trent, however I had tried this before posting it here and this did not bring result. Is there a possibility that after I tagged this user as Compromised, the latest value here - "Admin confirmed user compromised" overwrites risk history (Leaked Credentials) with new entry and does not bring up result ? 

      In fact even for an unstructured search to look up for 'leaked credentials' nothing comes up. 

      search "leaked credentials" --> no result

      A screenshot attached for reference to tell I am querying from Risky Users Blade. 

       

Resources