top of page

Azure Sentinel KQL Query to generate report of Users and Authentication Methods they have used.

Below KQL query will generate the report that generate report of Users and Authentication Methods they have used.


| extend authenticationMethod_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)

| extend authenticationMethodDetail_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethodDetail)

| extend authenticationStepResultDetail_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepResultDetail)

| extend authenticationStepRequirement_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)

| extend authenticationStepDateTime_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime)

| where isnotempty(authenticationMethod_)

| project UserDisplayName, UserPrincipalName, AppDisplayName, authenticationMethod_, authenticationMethodDetail_, authenticationStepRequirement_, authenticationStepDateTime_, Status

| sort by authenticationStepDateTime_ desc

1,170 views0 comments

Recent Posts

See All

Optimizing Microsoft Sentinel (SIEM) Environment

In the ever-evolving landscape of cybersecurity, the importance of a well-optimized Sentinel Environment cannot be overstated. As threats continue to morph and adapt, security teams must engage in a c


bottom of page