HELPPPP....User login from multiple workstation use case creation

%3CLINGO-SUB%20id%3D%22lingo-sub-2593702%22%20slang%3D%22en-US%22%3EHELPPPP....User%20login%20from%20multiple%20workstation%20use%20case%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2593702%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20client%20requirement%20where%20they%20require%20the%20data%20of%20list%20of%20user%20who%20are%20logging%20in%20from%20mutiple%20machines..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efor%20example%20the%20scenario%20is%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20Alex%20login%20from%202%20machine%20his%20name%20should%20be%20listed%20in%20the%20data%20which%20is%20being%20retrieved.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2594201%22%20slang%3D%22en-US%22%3ERe%3A%20HELPPPP....User%20login%20from%20multiple%20workstation%20use%20case%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2594201%22%20slang%3D%22en-US%22%3EWhat%20data%20do%20you%20have%2C%20maybe%20AAD%20SigninLogs%3F%20Do%20you%20have%20a%20query%20you%20are%20working%20on%20so%20far%2C%20anything%20you%20can%20share%3F%20You%20have%20tagged%20Azure%20Sentinel%2C%20do%20you%20have%20that%20enabled%2C%20if%20so%20what%20Tables.%20In%20the%20meantime%20some%20examples%20to%20give%20you%20an%20idea.%20Is%20this%20for%20a%20rule%2C%20and%20ad-hoc%20query%20or%20a%20Workbook%3F%3CBR%20%2F%3E%3CBR%20%2F%3EBehaviorAnalytics%20%3CBR%20%2F%3E%7C%20where%20ActivityType%20%3D%3D%20'LogOn'%20and%20isnotempty(UserName)%3CBR%20%2F%3E%7C%20summarize%20make_set(DestinationDevice)%20by%20UserName%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESigninLogs%3CBR%20%2F%3E%7C%20extend%20deviceId_%20%3D%20tostring(DeviceDetail.deviceId)%3CBR%20%2F%3E%7C%20summarize%20devicesList%20%3D%20make_set_if(deviceId_%2C%20isnotempty(deviceId_))%2C%20devicesCount%20%3D%20dcountif(deviceId_%2C%20isnotempty(deviceId_))%20by%20UserPrincipalName%3CBR%20%2F%3E%7C%20where%20devicesCount%20%26gt%3B%201%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2593818%22%20slang%3D%22en-US%22%3ERe%3A%20HELPPPP....User%20login%20from%20multiple%20workstation%20use%20case%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2593818%22%20slang%3D%22en-US%22%3ECan%20you%20provide%20more%20details%3F%3C%2FLINGO-BODY%3E
Occasional Visitor

I have a client requirement where they require the data of list of user who are logging in from mutiple machines..

 

for example the scenario is

 

if Alex login from 2 machine his name should be listed in the data which is being retrieved.

2 Replies
Can you provide more details?
What data do you have, maybe AAD SigninLogs? Do you have a query you are working on so far, anything you can share? You have tagged Azure Sentinel, do you have that enabled, if so what Tables. In the meantime some examples to give you an idea. Is this for a rule, and ad-hoc query or a Workbook?

BehaviorAnalytics
| where ActivityType == 'LogOn' and isnotempty(UserName)
| summarize make_set(DestinationDevice) by UserName


SigninLogs
| extend deviceId_ = tostring(DeviceDetail.deviceId)
| summarize devicesList = make_set_if(deviceId_, isnotempty(deviceId_)), devicesCount = dcountif(deviceId_, isnotempty(deviceId_)) by UserPrincipalName
| where devicesCount > 1