cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Query Activity From RiskyUsersBlade Under 'Risk History' Tab

Ankit_Pandey
Copper Contributor

‎May 12 2020 11:58 AM - last edited on ‎Jan 04 2022 12:25 PM by

‎May 12 2020 11:58 AM - last edited on ‎Jan 04 2022 12:25 PM by

Query Activity From RiskyUsersBlade Under 'Risk History' Tab

In log analytics I need to query Activity field from Risk History in Risky Users blade. Goal is to generate alert every time when a users risk history shows as 'Leaked Credentials' under Activity tab in same blade. 

How do I draft this query ?

 

Thank You 

4,412 Views
0 Likes
5 Replies
Reply
5 Replies
Rod_Trent

‎May 14 2020 01:46 PM

‎May 14 2020 01:46 PM

Re: Query Activity From RiskyUsersBlade Under 'Risk History' Tab

@Ankit_Pandey Here's a start:

 

let timeframe = 1d;
SigninLogs
| where RiskEventTypes contains "leaked credentials"
0 Likes
Reply
Ankit_Pandey

‎May 15 2020 06:12 AM

‎May 15 2020 06:12 AM

Re: Query Activity From RiskyUsersBlade Under 'Risk History' Tab

Thank you @Rod_Trent, however I had tried this before posting it here and this did not bring result. Is there a possibility that after I tagged this user as Compromised, the latest value here - "Admin confirmed user compromised" overwrites risk history (Leaked Credentials) with new entry and does not bring up result ? 

In fact even for an unstructured search to look up for 'leaked credentials' nothing comes up. 

search "leaked credentials" --> no result

A screenshot attached for reference to tell I am querying from Risky Users Blade. 

 

Preview file
32 KB
0 Likes
Reply
Ankit_Pandey

‎May 21 2020 12:43 PM

‎May 21 2020 12:43 PM

Re: Query Activity From RiskyUsersBlade Under 'Risk History' Tab

Any suggestions please. Thank You.

0 Likes
Reply
Ankit_Pandey

‎Jun 09 2020 12:52 PM

‎Jun 09 2020 12:52 PM

Re: Query Activity From RiskyUsersBlade Under 'Risk History' Tab

Still looking for a solution to make this work. Any insights please ?

0 Likes
Reply
Jurgen790

‎Jun 13 2020 11:30 AM

‎Jun 13 2020 11:30 AM

Re: Query Activity From RiskyUsersBlade Under 'Risk History' Tab

Hi @Ankit_Pandey,


Within the table of "SigninLogs" populated by Azure Active Directory (AAD) Services risk related alerts are populated inside the column "riskEventTypes":

The possible values for riskEventTypes are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue.

In case there is a situation where a "risk alert" in "risk history" is not showing up, or events are coming in, but limited information is shown in the actual events. It might be caused by a licensing limitation.

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protec...

Under "license requirements" you can see P1 licenses provide limited information for notifications or reports on risk behavior.

It is possible you have P1 License causing the limitation of logs coming in. If you upgrade to a P2 license it will probably populate inside Azure Sentinel.

- Jurgen



0 Likes
Reply