Aug 23 2022 12:36 PM
Anyone could share info if there is a way to monitor activity for Enterprise Apps using Sentinel? Basically to understand if Enterprise App has been used lately.
Aug 23 2022 01:35 PM
Hi @marka01
Not sure if this is what you are looking:
This is just a simple query to get errors and success logging activity per Application, probably you need to narrow down your specific application.
KQL:
let Long = ago(30d);
SigninLogs
| where TimeGenerated > Long
| project AppDisplayName, ResultType
| extend Successful=iff(ResultType == "0" , 1 , 0)
| extend Falied=iff(ResultType != "0" , 1 , 0)
| extend Counter=1
| summarize SuccessCount=sum(Successful), FailedCount=sum(Falied) by AppDisplayName
Hope it helps
Aug 24 2022 01:30 AM