Function: UserRiskStatus()
User Risk Status
Query
// Function returns the RiskState of a UPN, if the results are empty then the user did not have a risky state in the last 90 days.
let UserRiskStatus = (UPN: string) {
AADRiskyUsers
| where TimeGenerated > ago(90d)
| where UserPrincipalName =~ UPN
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project TimeGenerated, UserPrincipalName, RiskState, RiskLevel, RiskDetail
};
// Example
UserRiskStatus("[email protected]")About this query
Function: UserRiskStatus()
Query Information
Description
This function returns the RiskState of a UPN, if the results are empty then the user did not have a risky state in the last 90 days. This saves time to not having to lookup the user in Azure Active Directory, by leveraging a log analytics data which saves the content of the risk status of users.
References
- https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/functions/user-defined-functions
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-custom-functions?view=o365-worldwide
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-export-risk-data
Defender XDR
// Function returns the RiskState of a UPN, if the results are empty then the user did not have a risky state in the last 90 days.
let UserRiskStatus = (UPN: string) {
AADRiskyUsers
| where Timestamp > ago(90d)
| where UserPrincipalName =~ UPN
| summarize arg_max(Timestamp, *) by UserPrincipalName
| project Timestamp, UserPrincipalName, RiskState, RiskLevel, RiskDetail
};
// Example
UserRiskStatus("[email protected]")
Sentinel
Explanation
The query defines a function called UserRiskStatus that checks the risk status of a user in Azure Active Directory (AAD) over the past 90 days. It does this by looking up the user's principal name (UPN) in a log of risky users. If the user has had any risky activity in the last 90 days, the function returns details about the most recent instance, including the timestamp, risk state, risk level, and risk details. If there are no results, it means the user did not have any risky states in that period. This function is useful for quickly checking a user's risk status without manually searching through Azure Active Directory. The query is written in Kusto Query Language (KQL) and is used in both Defender XDR and Sentinel environments.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators