Forum Discussion
Find events where access was blocked by specific condional access policy
Hi In Azure Sentinel, I need to find events where access to a resource was blocked by specific conditional access policy. Can anyone help with the query ?
Thank you for trying :)
This will not work.
In your example you are only checking the first policy from the array (with index [0]).
I don't know at which position in the array my policy is.
I can find out by checking the logs (today it is 27) but that position can change as older policies are removed from the tenant.
Query must be based on specific policy ID
I only have the one policy, so always [0] :-(
However I think (not tested) mvexpand might help here, this might do multiple array positions
SigninLogs
| extend PropertiesJSON = parse_json(ConditionalAccessPolicies)
| extend CAPoliciesJson = parse_json(tostring(PropertiesJSON))
| mvexpand CAPoliciesJson
//| project CAPoliciesJson .displayName
| where CAPoliciesJson.displayName !=""
| summarize count() by //TimeGenerated,
CAPolicyName = tostring(CAPoliciesJson.displayName) ,
tostring(CAPoliciesJson.result),
tostring(CAPoliciesJson.id)