Queries for the AADUserRiskEvents table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Recent user risk events

Gets list of the top 100 active user risk events.

AADUserRiskEvents
| where DetectedDateTime > ago(1d)
| where RiskState == "atRisk"
| take 100

Active user risk detections

Gets a list of active user risk detections.

AADUserRiskEvents
| summarize arg_max(LastUpdatedDateTime, *) by RequestId, UserId
| where RiskState == "atRisk"