...
| Code Block |
|---|
from cloud.azure.ad.signin_all where not eq(risk_state,"none"), isnotnull(risk_state) group by user, risk_state, risk_detail |
Monitor It
Create an inactivity alert to detect interruptions of transfer of data from the source to the event hub using the query
| Code Block |
|---|
from cloud.azure.ad.signin_all
where eq(action,"LOGIN"),isnotnull(application)
//Divide the applications into a few simple, but subjective, categories
select peek(application,"(?i)Azure|Office|Sharepoint|Windows|Microsoft") as application_category
where isnotnull(application_category)
//Create an inactivity alert to detect an interruption to logins
select split(hostchain,"-",1)+" "+application_category as monitor_collector_and_application_category |
Set the inactivity alert to keep track of the monitor_collector_and_application_category. The alert will trigger if a particular collector no longer obtains login events for popular applications such as Office. This can occur if Office authentication is broken or if all users are on holiday.