How to get logic app to read my query

Solange Ngundu 0 Reputation points
2024-08-20T17:17:03.3833333+00:00

I am trying to automatically close an identity protection alert that is always false positive. i have a query i wrote and created a rule. it triggers the alert and properties that i want to see but the issue is loggic app does not read my querry.

here is my query and workflow.

the goal is to filter out anything that contains SSO and close automatically.

flow.PNG

let signin=
SigninLogs 
| where TimeGenerated > ago (24h)
| extend SigninTime = TimeGenerated
| where UserPrincipalName =~ UserPrincipalName
| where RiskEventTypes_V2 != "[]"
| summarize
    FirstSeen = min(TimeGenerated),
    LastObserved = max(TimeGenerated),
    SuccessfullCount = count(ResultType = 0),
    FailureCount = count(ResultType != 0) 
    by
    UserPrincipalName,
    IPAddress,
    Location,
    UserAgent,
    ClientAppUsed,
    AppDisplayName,
    RiskEventTypes_V2;
AADUserRiskEvents
| where TimeGenerated > ago(24h)
| extend RiskTime = TimeGenerated
| where DetectionTimingType == "realtime"
| join kind=inner SigninLogs on CorrelationId
| project UserDisplayName1, IpAddress, AppDisplayName, UserAgent, Location, RiskEventType


Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,094 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.