mirror of
https://github.com/marcredhat/kql
synced 2026-06-08 13:23:58 +00:00
marc
4 lines
183 B
Plaintext
4 lines
183 B
Plaintext
SigninLogs | where TimeGenerated > ago(1d) | where ResultType == 0
|
|
| summarize CountriesAccessed = make_set(Location) by UserPrincipalName
|
|
| where array_length(CountriesAccessed) > 3
|