{"id":89,"date":"2024-01-12T09:59:00","date_gmt":"2024-01-12T09:59:00","guid":{"rendered":"https:\/\/cyber-resilience.mobi\/?p=89"},"modified":"2024-01-12T10:05:41","modified_gmt":"2024-01-12T10:05:41","slug":"user-risk","status":"publish","type":"post","link":"https:\/\/cyber-resilience.mobi\/?p=89","title":{"rendered":"KQL User Risk"},"content":{"rendered":"\n<pre class=\"wp-block-code\"><code>let Timeframe = 90d;\r\nAuditLogs\r\n    | where TimeGenerated > ago(Timeframe)\r\n    \/\/ Choose whether you want to focus on DissmissUser or ConfirmAccountCompromised operations\r\n    \/\/| where OperationName == \"DismissUser\"\r\n    \/\/| where OperationName == \"ConfirmAccountCompromised\"\r\n    | extend SuspUser = tostring(TargetResources&#91;0].displayName)\r\n    \/\/ Add here the name of the user you want to focus on\r\n    \/\/| where SuspUser contains @\"\"\r\n    | extend SecUser = InitiatedBy.user.userPrincipalName\r\n    \/\/ Add here the name of the security operator that confirmed account compromized\r\n    \/\/| where SecUser contains @\"\"\r\n    | project TimeGenerated, SuspUser, SecUser\r\n    | sort by TimeGenerated desc<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[18,19,22],"class_list":["post-89","post","type-post","status-publish","format-standard","hentry","category-kql-sentinel","tag-kql","tag-kusto","tag-sentinel"],"_links":{"self":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/89","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=89"}],"version-history":[{"count":2,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/89\/revisions"}],"predecessor-version":[{"id":91,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/89\/revisions\/91"}],"wp:attachment":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=89"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=89"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=89"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}