KQL Sign-Ins: Failures Outside Specified Country
KQL for SigninLogs showing failed signin attempts outside of a specified country.
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType <> "0"
| where isnotempty(Location)
| where Location <> 'AU'
| summarize
['Count of Locations']=dcount(Location),
['List of Locations']=make_set(Location)
by UserPrincipalName
| sort by ['Count of Locations'] desc