Query Activity From RiskyUsersBlade Under 'Risk History' Tab

New Contributor

In log analytics I need to query Activity field from Risk History in Risky Users blade. Goal is to generate alert every time when a users risk history shows as 'Leaked Credentials' under Activity tab in same blade. 

How do I draft this query ?

 

Thank You 

5 Replies

@Ankit_Pandey Here's a start:

 

let timeframe = 1d;
SigninLogs
| where RiskEventTypes contains "leaked credentials"

Thank you @rodtrent, however I had tried this before posting it here and this did not bring result. Is there a possibility that after I tagged this user as Compromised, the latest value here - "Admin confirmed user compromised" overwrites risk history (Leaked Credentials) with new entry and does not bring up result ? 

In fact even for an unstructured search to look up for 'leaked credentials' nothing comes up. 

search "leaked credentials" --> no result

A screenshot attached for reference to tell I am querying from Risky Users Blade. 

 

Any suggestions please. Thank You.

Still looking for a solution to make this work. Any insights please ?

Hi @Ankit_Pandey,


Within the table of "SigninLogs" populated by Azure Active Directory (AAD) Services risk related alerts are populated inside the column "riskEventTypes":

The possible values for riskEventTypes are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue.

In case there is a situation where a "risk alert" in "risk history" is not showing up, or events are coming in, but limited information is shown in the actual events. It might be caused by a licensing limitation.

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protec...

Under "license requirements" you can see P1 licenses provide limited information for notifications or reports on risk behavior.

It is possible you have P1 License causing the limitation of logs coming in. If you upgrade to a P2 license it will probably populate inside Azure Sentinel.

- Jurgen