Azure AD Identity Protection Glitch
Query
SigninLogs
| where (RiskEventTypes != "[]" or RiskEventTypes_V2 != "[]") and AuthenticationDetails has "Password"
| extend AuthenticationDetails = todynamic(AuthenticationDetails), TimeIngested = ingestion_time()
| mv-expand AuthenticationDetails
| where AuthenticationDetails["authenticationMethod"] == "Password" and AuthenticationDetails["succeeded"] == "false"
| sort by TimeIngested
| project-reorder TimeIngested, TimeGenerated, RiskEventTypes, RiskState, AuthenticationDetailsExplanation
This query is looking at signin logs and filtering for events where there is a risk event type or a risk event type version, and the authentication details include the word "Password". It then converts the authentication details to a dynamic type and adds a new column for the time the data was ingested. The query then expands the authentication details into separate rows, filters for events where the authentication method is "Password" and it did not succeed, sorts the results by the time the data was ingested, and finally projects only the specified columns in a specific order.
Details

Jose Sebastián Canós
Released: May 4, 2023
Tables
SigninLogs
Keywords
SigninLogsRiskEventTypesRiskEventTypes_V2AuthenticationDetailsPasswordTimeIngestedauthenticationMethodsucceededTimeGeneratedRiskState
Operators
whereorandhasextendtodynamicingestion_timemv-expand==sort byproject-reorder