Hello, i am trying to get
SecurityAlert | where AlertName == "Leaked credentials" and join it with OfficeActivity and select the columns i need etc..
I assume the join can be made on the UserID, which needs to be expanded or extracted our of the
ExtendedProperties first..
Here is my attempt, but its not quite working.
SecurityAlert
| where AlertName == "Leaked credentials"
| extend email = extractjson("$['User Account']", ExtendedProperties)
| join kind= inner (
OfficeActivity
| where Operation == "UserLoggedIn"
) on email
ps: i tried using syntax highliting in this compose window, but keep getting the following message, so sorry that the formatting may be hard to read.
Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied.
