I have connected Auth0 to our Azure Sentinel instance and i am trying to configure an alert for multiple failed log in attempts in the last 24hrs. I am using the below KQL but it doesn’t recognise the column ‘ResultType’ with the error “‘where’ operator: Failed to resolve column or scalar expression named 'ResultType”. There is also the same error on UserPrincipleName. I can’t seem to find Auth0s equivalent fields.
Can anyone help??
Auth0AM_CL | where TimeGenerated > ago(1d) | where ResultType != "0" | summarize count() by UserPrincipalName | top 10 by count_