Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,094 questions
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am trying to automatically close an identity protection alert that is always false positive. i have a query i wrote and created a rule. it triggers the alert and properties that i want to see but the issue is loggic app does not read my querry.
here is my query and workflow.
the goal is to filter out anything that contains SSO and close automatically.
let signin=
SigninLogs
| where TimeGenerated > ago (24h)
| extend SigninTime = TimeGenerated
| where UserPrincipalName =~ UserPrincipalName
| where RiskEventTypes_V2 != "[]"
| summarize
FirstSeen = min(TimeGenerated),
LastObserved = max(TimeGenerated),
SuccessfullCount = count(ResultType = 0),
FailureCount = count(ResultType != 0)
by
UserPrincipalName,
IPAddress,
Location,
UserAgent,
ClientAppUsed,
AppDisplayName,
RiskEventTypes_V2;
AADUserRiskEvents
| where TimeGenerated > ago(24h)
| extend RiskTime = TimeGenerated
| where DetectionTimingType == "realtime"
| join kind=inner SigninLogs on CorrelationId
| project UserDisplayName1, IpAddress, AppDisplayName, UserAgent, Location, RiskEventType