I have connected Auth0 to our Azure Sentinel instance and i am trying to configure an alert for multiple failed log in attempts in the last 24hrs. I am using the below KQL but it doesn’t recognise the column ‘ResultType’ with the error “‘where’ operator: Failed to resolve column or scalar expression named 'ResultType”. There is also the same error on UserPrincipleName. I can’t seem to find Auth0s equivalent fields.
Can anyone help??
Auth0AM_CL
| where TimeGenerated > ago(1d)
| where ResultType != "0"
| summarize count() by UserPrincipalName
| top 10 by count_