let query_frequency = 5m;
let query_period = 2d;
AADUserRiskEvents
| where TimeGenerated > ago(query_period)
| where OperationName == "User Risk Detection" and Source == "IdentityProtection" and RiskEventType == "leakedCredentials"
| summarize minTimeGenerated = min(TimeGenerated), arg_max(TimeGenerated, *) by Id
| where minTimeGenerated > ago(query_frequency)
| project
TimeGenerated,
OperationName,
Source,
Activity,
UserDisplayName,
UserPrincipalName,
UserId,
RiskEventType,
RiskState,
RiskDetail,
RiskLevel,
DetectionTimingType
Conçu avec WordPress
Laisser un commentaire