Successful Logins Query Request

Follow

Gabby Ariza

• November 10, 2021 20:37

How do I convert this scrip of Failed Logins Outside the US to Successful logins?

 

_sourceCategory = office365/* "\"Workload\":\"AzureActiveDirectory\"" (PasswordLogonInitialAuthUsingADFSFederatedToken or PasswordLogonInitialAuthUsingPassword or UserLoginFailed) failed
| json "Workload", "Operation", "ClientIP", "ResultStatus", "ObjectId", "UserId"
| where Workload = "AzureActiveDirectory" and Operation in ("PasswordLogonInitialAuthUsingADFSFederatedToken", "PasswordLogonInitialAuthUsingPassword", "UserLoginFailed") and ResultStatus in ("failed", "Failed")
| count by ClientIP
| lookup latitude, longitude, country_code, country_name, region, city, postal_code from geo://location on ip = ClientIP
| where !(country_code = "US")
| count by clientIP, latitude, longitude, country_code, country_name, region, city, postal_code
| sort _count

0

• 

  Shobhit Garg

  • November 15, 2021 06:30

  Hi Gabby,

  You can refer to our O365 app and can extract the query from below. 

  https://help.sumologic.com/07Sumo-Logic-Apps/04Microsoft-and-Azure/Microsoft_Office_365/Microsoft-Office-365-App-Dashboards#azure-active-directory

  Azure Active Directory

  Office 365 - Active Directory - Login Locations

  Hope this helps.

  Regards

  0

  Comment actions Permalink

Please sign in to leave a comment.