Search

Azure Sentinel KQL Query to generate report of Users and Authentication Methods they have used.

Below KQL query will generate the report that generate report of Users and Authentication Methods they have used.



SigninLogs

| extend authenticationMethod_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)

| extend authenticationMethodDetail_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethodDetail)

| extend authenticationStepResultDetail_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepResultDetail)

| extend authenticationStepRequirement_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)

| extend authenticationStepDateTime_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime)

| where isnotempty(authenticationMethod_)

| project UserDisplayName, UserPrincipalName, AppDisplayName, authenticationMethod_, authenticationMethodDetail_, authenticationStepRequirement_, authenticationStepDateTime_, Status

| sort by authenticationStepDateTime_ desc


47 views0 comments

Recent Posts

See All