Terminated User Logons in Sentinel Query

Question

Hello,&nbsp;Looking for a Query that will search within Sentinel for the last logon attempt for ALL terminated users over the past 11 months, please.

samikroy · Answer

Brad_Hill - You need to store the list terminated employees and the use the below query let list_of_terminated_employeed = dynamic(['email address removed for privacy reasons','email address removed for privacy reasons']); SigninLogs | where TimeGenerated &gt;ago(365d) | summarize arg_max(TimeGenerated,*) by UserPrincipalName | where UserPrincipalName has_any (list_of_terminated_employeed) And you need to ensure that the Microsoft Sentinel Workspace has the retention for the time period you are looking for,

eis · Answer

Are you able to share the template and likely Logic app that queries the Graph API?

samikroy · Answer

EIS&nbsp;Watchlist template is available is Microsoft Sentinel&nbsp;and here is an example of logic app for watchlist automation&nbsp;New watchlist actions available for watchlist automation using Microsoft Sentinel SOAR - Microsoft Community Hub

gbushey · Answer

Highly suggest using a Watchlist to store the terminated employees.&nbsp; &nbsp;There is a template for it and, with the help of a Logic App that queries the Graph API, you can keep it up to date automatically.

brad_hill · Answer

Thank you Samikroy, my apologies for just now seeing this answer.

Forum Discussion

Terminated User Logons in Sentinel Query

6 Replies

Resources