12 строки
1.3 KiB
Plaintext
12 строки
1.3 KiB
Plaintext
// Example query for SigninLogs showing how to break out packed fields.
|
|
SigninLogs
|
|
| where TimeGenerated >= ago(1d)
|
|
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
|
|
| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName), ConditionalAccessPol0Result = tostring(ConditionalAccessPolicies[0].result)
|
|
| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName), ConditionalAccessPol1Result = tostring(ConditionalAccessPolicies[1].result)
|
|
| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName), ConditionalAccessPol2Result = tostring(ConditionalAccessPolicies[2].result)
|
|
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
|
|
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
|
|
| extend Date = startofday(TimeGenerated), Hour = datetime_part("Hour", TimeGenerated)
|
|
| summarize count() by Date, Identity, UserDisplayName, UserPrincipalName, IPAddress, ResultType, ResultDescription, StatusCode, StatusDetails, ConditionalAccessPol0Name, ConditionalAccessPol0Result, ConditionalAccessPol1Name, ConditionalAccessPol1Result, ConditionalAccessPol2Name, ConditionalAccessPol2Result, Location, State, City, RiskLevel
|
|
| sort by Date |