The summarize above does not contain TimeGenerated, so the TimeGenerated field is removed from the results past that. Therefore, you cannot use it at the final line. Try the code below. let threshold=1; let authenticationWindow=5m; let Logs=SigninLogs |whereUserPrincipalName=="email address ...
For information about application query statements, seeApplication query statements. The most common kind of query statement is a tabular expressionstatement, which means both its input and output consist of tables or tabular datasets. Tabular statements contain zero or moreoperators, each of which sta...
You can combine different parts of a keyword query by using the opening parenthesis character " ( " and closing parenthesis character " ) ". Each opening parenthesis " ( " must have a matching closing parenthesis " ) ". A white space before or after a parenthesis does not affect the ...
You can combine different parts of a keyword query by using the opening parenthesis character "(" and closing parenthesis character ")". Each opening parenthesis "(" must have a matching closing parenthesis ")". A white space before or after a parenthesis does not affect the query. ...
This query would find SigninLogs where the application display name does not contain "Teams". Project Basics Project allows us to select which columns are returned in our query and in which order. SigninLogs |whereTimeGenerated >ago(14d) |whereUserPrincipalName =="reprise_99@testdomain.com"|...
The following are culture dependent and are not specified here: ; float-value, integer-value, date-value, date-value-no-ws string-value = quoted-string-value / unquoted-string-value ; <quoted-string-value> can contain any characters, but a double quotation ; mark within the quoted string ...
You can combine different parts of a keyword query by using the opening parenthesis character "(" and closing parenthesis character ")". Each opening parenthesis "(" must have a matching closing parenthesis ")". A white space before or after a parenthesis does not affect the query. ...
The summarize above does not contain TimeGenerated, so the TimeGenerated field is removed from the results past that. Therefore, you cannot use it at the final line. Try the code below. let threshold=1; let authenticationWindow=5m;
This query would find all SigninLogs where the UserPrincipalName does not contain reprise_99 SigninLogs | where TimeGenerated > ago(14d) | where AppDisplayName !has "Teams" This query would find SigninLogs where the application display name does not contain "Teams". Project Basics Project ...
You can combine different parts of a keyword query by using the opening parenthesis character "(" and closing parenthesis character ")". Each opening parenthesis "(" must have a matching closing parenthesis ")". A white space before or after a parenthesis does not affect the query...