Successful Logins Query Request
How do I convert this scrip of Failed Logins Outside the US to Successful logins?
_sourceCategory = office365/* "\"Workload\":\"AzureActiveDirectory\"" (PasswordLogonInitialAuthUsingADFSFederatedToken or PasswordLogonInitialAuthUsingPassword or UserLoginFailed) failed
| json "Workload", "Operation", "ClientIP", "ResultStatus", "ObjectId", "UserId"
| where Workload = "AzureActiveDirectory" and Operation in ("PasswordLogonInitialAuthUsingADFSFederatedToken", "PasswordLogonInitialAuthUsingPassword", "UserLoginFailed") and ResultStatus in ("failed", "Failed")
| count by ClientIP
| lookup latitude, longitude, country_code, country_name, region, city, postal_code from geo://location on ip = ClientIP
| where !(country_code = "US")
| count by clientIP, latitude, longitude, country_code, country_name, region, city, postal_code
| sort _count
-
Hi Gabby,
You can refer to our O365 app and can extract the query from below.
Azure Active Directory
Office 365 - Active Directory - Login Locations
Hope this helps.
Regards
Please sign in to leave a comment.
Comments
1 comment