May 12 2020
- last edited on
Jan 04 2022
In log analytics I need to query Activity field from Risk History in Risky Users blade. Goal is to generate alert every time when a users risk history shows as 'Leaked Credentials' under Activity tab in same blade.
How do I draft this query ?
May 14 2020 01:46 PM
@Ankit_Pandey Here's a start:
May 15 2020 06:12 AM
Thank you @rodtrent, however I had tried this before posting it here and this did not bring result. Is there a possibility that after I tagged this user as Compromised, the latest value here - "Admin confirmed user compromised" overwrites risk history (Leaked Credentials) with new entry and does not bring up result ?
In fact even for an unstructured search to look up for 'leaked credentials' nothing comes up.
search "leaked credentials" --> no result
A screenshot attached for reference to tell I am querying from Risky Users Blade.
Jun 13 2020 11:30 AM
Within the table of "SigninLogs" populated by Azure Active Directory (AAD) Services risk related alerts are populated inside the column "riskEventTypes":
The possible values for riskEventTypes are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue.
In case there is a situation where a "risk alert" in "risk history" is not showing up, or events are coming in, but limited information is shown in the actual events. It might be caused by a licensing limitation.
Under "license requirements" you can see P1 licenses provide limited information for notifications or reports on risk behavior.
It is possible you have P1 License causing the limitation of logs coming in. If you upgrade to a P2 license it will probably populate inside Azure Sentinel.