I wanted to query the service health metric of Entra ID in ALA, I used SigninLogs and AuditLogs but couldn’t find correct query in ALA that will show the same monitoring metric as the dashboard in Entra Service Health (like token request per seconds, top application visits, bad password or risk Ip)
I wanted to query the service health metric of Entra ID in ALA, I used SigninLogs and AuditLogs but couldn’t find correct query in ALA that will show the same monitoring metric as the dashboard in Entra Service Health (like token request per seconds, top application visits, bad password or risk Ip)
To query the service health metric of Entra ID in log analytics workspace, firstly you need to configure the Dianostic settings as detailed in the MS Doc by selecting audit logs and Sign in logs.
I used SigninLogs and AuditLogs but couldn’t find correct query in ALA:
You can check here for KQL query samples related to signin logs table in multiple scenarios.
For example, if you want to check for invalid or bad password applications logs, you can query it in the below way.
SigninLogs
| where ResultType == "50126"
Where 50126 sign-in-error code is an error code for invalid username or password as detailed in the given blog.
And summarized the count of attempts by time generated field.
| summarize invalidpwdattempts = count() by bin(TimeGenerated, 24h)
You can check the below query for retrieving the Top Applicant sign in's:
SigninLogs
| summarize topsignins = count() by AppDisplayName
After summarizing, you can get the required number of sign ins top applicants by display name or application ID.
order by topsignins desc
| take 5
Also refer this for few more sign-in log query samples applied in different use case scenarios.