@stianhoydal 

 

Thank you so much, I was able to push the high risk users to sentinel logs with a playbook following your method. However... excuse my ignorance but the last query you are running..

 

let Alert=
SigninLogs
| where UserPrincipalName contains "username"
| where ResultType == "50158"
| take 1;
let HighRiskUser=
HighRiskUsers_CL
| where TimeGenerated > ago(24h)
| extend UserPrincipalName = UserPrincipalName_s
| project TimeGenerated, UserPrincipalName, AADObjectID_g
;
Alert
| join kind=inner HighRiskUser on UserPrincipalName
| project TimeGenerated, ResultType, UserPrincipalName

 

this query works only if we replace "username" with an actual username. But wasnt the whole point of this to not enter usernames manually? what am I missing here. FYI I am just a beginner at KQL and still not familiar with most operators, including join/union. 

 

www.000webhost.com