Which user accounts are involved in "Sign-ins from IPs that attempt sign-ins to disabled accounts"

Paul Schnackenburg It looks the information is in the query although I am not sure why it isn't exposed.  There is a column being returned called "disabledAccountSet" that will list all the accounts being accessed.

Since this is stored as a dynamic array, I used the mv-expand command to get 1 row per account so it can be assigned to an Entity.

NOTE: I do not actually have this query returning any results in my environment but this should work.

1) Add the following code to the end of the query in the Analytic rule

| mv-expand disabledAccountSet

2) Setup an entity to use that column so that the results are mapped to an entity so you can see it.

That should do it!