Queries for the AADUserRiskEvents table

Article
02/20/2024

Recent user risk events

Gets list of the top 100 active user risk events.

AADUserRiskEvents
| where DetectedDateTime > ago(1d)
| where RiskState == "atRisk"
| take 100

Active user risk detections

Gets a list of active user risk detections.

AADUserRiskEvents
| summarize arg_max(LastUpdatedDateTime, *) by RequestId, UserId
| where RiskState == "atRisk"

Feedback

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.

Submit and view feedback for

This product This page

View all page feedback

Queries for the AADUserRiskEvents table

Recent user risk events

Active user risk detections

Feedback

Feedback

Additional resources