Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Something is wrong in AADSignInEventsBeta?

Copper Contributor

Hello everybody.


Today I'm running this code in "Advanced hunting":




// Users with multiple countries 
// Get list of users that signed in from multiple countries for the last day. 
| where Timestamp > ago(1d)
| summarize CountPerCountry = dcount(Country), countrySet = make_set(Country) by AccountUpn 
| where CountPerCountry > 4
| order by CountPerCountry desc 




Unexpectedly, the result is not correct in all rows, and It shows AccountUpn who have accesses from countries that do not correspond to reality (I have verified this by checking the Sign-in logs of the AccountUpn from the Microsoft Azure dashboard).
I have run this code on previous occasions with seemingly good results.


0 Replies