Query missing in Azure

Question

Hi everyone,

I am running this query in Microsoft Azure:

AADUserRiskEvents
| where TimeGenerated >= ago(7d)
| where RiskDetail startswith "admin"
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project UserPrincipalName, RiskState, RiskDetail, RiskEventType, TimeGenerated
| order by TimeGenerated desc

The results are as follows:

USER PRINCIPAL NAME xx.yy@zz.com

RISK STATE confirmedSafe

RISK DETAIL adminConfirmedAccountSafe

RISK EVENT TYPE unfamiliarFeatures

TIME GENERATED 7/29/2024, 9:36:22.000 PM

Those results are good, but, I need to see as well who admin.cloud account performed the activity and what remediation was used (i.e Compromised user, safe user or dismissed user)

What should I add to my query to see the pending results?

Thank you and let me know any questions

Answer 1

@John Maya Intertek Thank you for reaching out to us, based on my findings account performed by the actor can be retrieved from the audit logs.

Would recommend to check the below query if it helps to achieve the required info

AADUserRiskEvents
| where TimeGenerated >= ago(7d)
| where RiskDetail startswith "admin"
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project UserPrincipalName, RiskState, RiskDetail, RiskEventType, TimeGenerated ,Source
| order  by TimeGenerated desc 
| join (AuditLogs | where ActivityDateTime  <= now()) on $left.Source == $right.LoggedByService
| project UserPrincipalName, RiskState,RiskEventType, OperationPerformedPerson = InitiatedBy.user.userPrincipalName

Let me know if you have any questions, feel free to post back.