top of page

Azure Sentinel KQL Query to generate report of Users and Authentication Methods they have used.

Below KQL query will generate the report that generate report of Users and Authentication Methods they have used.


| extend authenticationMethod_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)

| extend authenticationMethodDetail_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethodDetail)

| extend authenticationStepResultDetail_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepResultDetail)

| extend authenticationStepRequirement_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)

| extend authenticationStepDateTime_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime)

| where isnotempty(authenticationMethod_)

| project UserDisplayName, UserPrincipalName, AppDisplayName, authenticationMethod_, authenticationMethodDetail_, authenticationStepRequirement_, authenticationStepDateTime_, Status

| sort by authenticationStepDateTime_ desc

764 views0 comments

Recent Posts

See All

As a member of a Security Operations Center (SOC), one of the key responsibilities is to generate regular reports on incidents. These reports provide valuable insights into the security landscape and

bottom of page