Forum Discussion
Query Activity From RiskyUsersBlade Under 'Risk History' Tab
In log analytics I need to query Activity field from Risk History in Risky Users blade. Goal is to generate alert every time when a users risk history shows as 'Leaked Credentials' under Activity tab in same blade.
How do I draft this query ?
Thank You
- Jurgen790Copper Contributor
Hi Ankit_Pandey,
Within the table of "SigninLogs" populated by Azure Active Directory (AAD) Services risk related alerts are populated inside the column "riskEventTypes":
The possible values for riskEventTypes are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue.
In case there is a situation where a "risk alert" in "risk history" is not showing up, or events are coming in, but limited information is shown in the actual events. It might be caused by a licensing limitation.
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
Under "license requirements" you can see P1 licenses provide limited information for notifications or reports on risk behavior.
It is possible you have P1 License causing the limitation of logs coming in. If you upgrade to a P2 license it will probably populate inside Azure Sentinel.
- Jurgen - Rod_TrentMicrosoft
Ankit_Pandey Here's a start:
let timeframe = 1d;SigninLogs| where RiskEventTypes contains "leaked credentials"- Ankit_PandeyCopper Contributor
Thank you Rod_Trent, however I had tried this before posting it here and this did not bring result. Is there a possibility that after I tagged this user as Compromised, the latest value here - "Admin confirmed user compromised" overwrites risk history (Leaked Credentials) with new entry and does not bring up result ?
In fact even for an unstructured search to look up for 'leaked credentials' nothing comes up.
search "leaked credentials" --> no result
A screenshot attached for reference to tell I am querying from Risky Users Blade.
- Ankit_PandeyCopper Contributor
Any suggestions please. Thank You.