Monitor App activity with Sentinel

Occasional Contributor

Anyone could share info if there is a way to monitor activity for Enterprise Apps using Sentinel? Basically to understand if Enterprise App has been used lately. 

2 Replies

Hi @marka01 

 

Not sure if this is what you are looking:

 

cmaneiro_0-1661286835927.png

This is just a simple query to get errors and success logging activity per Application, probably you need to narrow down your specific application.

 

KQL: 

 

let Long = ago(30d);
SigninLogs
| where TimeGenerated > Long
| project AppDisplayName, ResultType
| extend Successful=iff(ResultType == "0" , 1 , 0)
| extend Falied=iff(ResultType != "0" , 1 , 0)
| extend Counter=1
| summarize SuccessCount=sum(Successful), FailedCount=sum(Falied) by AppDisplayName

 

Hope it helps

Do you use Defender for Cloud Apps? If so you can connect and ingest the Cloud Discovery Logs and then monitor any apps including enterprise Apps.