Hey Rod, I was trying to run the KQL above with no luck. Am I crazy, but I am not finding SessionID under the SigninLogs table, which is kind of key to getting this to work. It is under the CloudAppEvents table, but it seems that it needs this on both tables.
I was able to find something that worked on the Defender 'Advanced Hunting' side that worked, but I do not have this 'AADSignInEventsBeta' table over in the Sentinel side, and just thought it was crazy that I can't seem to replicate this over in Sentinel:
AADSignInEventsBeta
| where Timestamp > ago(2d)
| where ErrorCode == 0
| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application
Thanks! I am somewhat new to Sentinel (3 months in), so it is kind of crazy to run across KQL queries that worked as of 10/2023 and is no longer working, so I was almost wondering if I was missing data in my SigninLogs table!
It's also kind of goofy because
Thanks for all your work on here! I know you probably get this constantly, but your blog is an absolute necessity for me as a beginner, and the weekly additions are so nice to have!
Hey Rod, I was trying to run the KQL above with no luck. Am I crazy, but I am not finding SessionID under the SigninLogs table, which is kind of key to getting this to work. It is under the CloudAppEvents table, but it seems that it needs this on both tables.
I was able to find something that worked on the Defender 'Advanced Hunting' side that worked, but I do not have this 'AADSignInEventsBeta' table over in the Sentinel side, and just thought it was crazy that I can't seem to replicate this over in Sentinel:
AADSignInEventsBeta
| where Timestamp > ago(2d)
| where ErrorCode == 0
| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application
| where ClientAppUsed == "Browser"
| where LogonType has "interactiveUser"
| where AccountUpn contains "userprincipalname@email.com"
| summarize arg_min(Timestamp, Country) by SessionId;
Can you think of anything that I am missing on my end?
Looks like the schema has changed somewhat. Let me dig into it.
Thanks! I am somewhat new to Sentinel (3 months in), so it is kind of crazy to run across KQL queries that worked as of 10/2023 and is no longer working, so I was almost wondering if I was missing data in my SigninLogs table!
It's also kind of goofy because
Thanks for all your work on here! I know you probably get this constantly, but your blog is an absolute necessity for me as a beginner, and the weekly additions are so nice to have!