I have indexed my Azure AD audit and sign-in logs:
{ [-]
Level: 4
callerIpAddress: xxx.xxx.xxx.xxx
category: SignInLogs
correlationId: xxxxxxxxxxxxxxxxxx
durationMs: 0
identity: My User
location: IN
operationName: Sign-in activity
operationVersion: 1.0
properties: { [+]
}
resourceId: /tenants/xxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.aadiam
resultSignature: None
resultType: 0
tenantId: xxxxxxxxxxxxxxxx
time: 2020-01-08T15:59:39.0169752Z
}
so I get a nice event in splunk for each sign in, most people log in every day.
I would like to create a query that would look at 120 days of sign ins and give me a list of everyone that has not signed in for the past 90 days. (for compliance reasons) anyone know how to set up a query like this?
thanks,
-ken
↧