Forum Discussion

Ankit_Pandey's avatar
Ankit_Pandey
Copper Contributor
May 12, 2020

Query Activity From RiskyUsersBlade Under 'Risk History' Tab

In log analytics I need to query Activity field from Risk History in Risky Users blade. Goal is to generate alert every time when a users risk history shows as 'Leaked Credentials' under Activity tab...
Jurgen790's avatar
Jurgen790
Copper Contributor
Jun 13, 2020

Hi Ankit_Pandey,


Within the table of "SigninLogs" populated by Azure Active Directory (AAD) Services risk related alerts are populated inside the column "riskEventTypes":

The possible values for riskEventTypes are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue.

In case there is a situation where a "risk alert" in "risk history" is not showing up, or events are coming in, but limited information is shown in the actual events. It might be caused by a licensing limitation.

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

Under "license requirements" you can see P1 licenses provide limited information for notifications or reports on risk behavior.

It is possible you have P1 License causing the limitation of logs coming in. If you upgrade to a P2 license it will probably populate inside Azure Sentinel.

- Jurgen