Azure Sentinel KQL Query

alex43 · November 3, 2023, 11:45am

I have connected Auth0 to our Azure Sentinel instance and i am trying to configure an alert for multiple failed log in attempts in the last 24hrs. I am using the below KQL but it doesn’t recognise the column ‘ResultType’ with the error “‘where’ operator: Failed to resolve column or scalar expression named 'ResultType”. There is also the same error on UserPrincipleName. I can’t seem to find Auth0s equivalent fields.

Can anyone help??

Auth0AM_CL

| where TimeGenerated > ago(1d)

| where ResultType != "0"

| summarize count() by UserPrincipalName

| top 10 by count_

dan.woda · November 8, 2023, 4:21pm

Hi @alex43,

Welcome to the Auth0 Community!

I’m not familiar with those fields. You may want to look at what is available in the Auth0 log objects:

Hope this helps!

Topic		Replies	Views
Event logs search query limitations Help auth0 , logs , lucene	5	2100	February 2, 2023
Querying logs from the UI with wildcards Help	3	2185	April 22, 2021
Using AND when searching logs Help	3	2504	April 8, 2021
Add search by type criteria while fetching user logs from management api v2? Help logs , search	2	4240	September 3, 2019
Auth0 Log types Help tenant-log-streams , insights-monitoring	2	105	July 1, 2024

Azure Sentinel KQL Query

Related topics