Azure Sentinel KQL Query

I have connected Auth0 to our Azure Sentinel instance and i am trying to configure an alert for multiple failed log in attempts in the last 24hrs. I am using the below KQL but it doesn’t recognise the column ‘ResultType’ with the error “‘where’ operator: Failed to resolve column or scalar expression named 'ResultType”. There is also the same error on UserPrincipleName. I can’t seem to find Auth0s equivalent fields.

Can anyone help??


| where TimeGenerated > ago(1d)

| where ResultType != "0"

| summarize count() by UserPrincipalName

| top 10 by count_

Hi @alex43,

Welcome to the Auth0 Community!

I’m not familiar with those fields. You may want to look at what is available in the Auth0 log objects:

Hope this helps!