Identification des utilisateurs à risque en utilisant Microsoft Entra ID Protection

let Timeframe = 90d;
AuditLogs
| where TimeGenerated > ago(Timeframe)
// Choose whether you want to focus on DissmissUser or ConfirmAccountCompromised operations
//| where OperationName == "DismissUser"
//| where OperationName == "ConfirmAccountCompromised"
| extend SuspUser = tostring(TargetResources[0].displayName)
// Add here the name of the user you want to focus on
//| where SuspUser contains @""
| extend SecUser = InitiatedBy.user.userPrincipalName
// Add here the name of the security operator that confirmed account compromized
//| where SecUser contains @""
| project TimeGenerated, SuspUser, SecUser
| sort by TimeGenerated desc