Identification Of Risky Users Risk Dismissal Or Account Compromised Confirmation
Query
let Timeframe = 90d;
AuditLogs
| where TimeGenerated > ago(Timeframe)
// Choose whether you want to focus on DissmissUser or ConfirmAccountCompromised operations
//| where OperationName == "DismissUser"
//| where OperationName == "ConfirmAccountCompromised"
| extend SuspUser = tostring(TargetResources[0].displayName)
// Add here the name of the user you want to focus on
//| where SuspUser contains @""
| extend SecUser = InitiatedBy.user.userPrincipalName
// Add here the name of the security operator that confirmed account compromized
//| where SecUser contains @""
| project TimeGenerated, SuspUser, SecUser
| sort by TimeGenerated descAbout this query
Identification of risky users risk dismissal or account compromised confirmation
Description
The following query will identify through Microsoft Entra ID Protection capacity, risky users operations that include risk dismissal or account compromised confirmation.
Microsoft Sentinel
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 14/12/2023 | Initial publish |
Explanation
This query uses Microsoft Entra ID Protection to identify risky user operations related to risk dismissal or account compromise confirmation. It looks at audit logs within a specified timeframe and filters for specific operations. It then extracts the display name of the targeted user and the user principal name of the security operator who confirmed the account compromise. The results are sorted by the time the operation was generated.
Details

Michalis Michalos
Released: December 14, 2023
Tables
AuditLogs
Keywords
DevicesIntuneUser
Operators
whereextendprojectsort by