Terminated User Logons in Sentinel Query

Brad_Hill · ‎Dec 20 2023

Hello,

Looking for a Query that will search within Sentinel for the last logon attempt for ALL terminated users over the past 11 months, please.

‎Dec 29 2023

@Brad_Hill - You need to store the list terminated employees and the use the below query let list_of_terminated_employeed = dynamic(['email address removed for privacy reasons','email address removed for privacy reasons']); SigninLogs | where TimeGenerated >ago(365d) | summarize arg_max(TimeGenerated,*) by UserPrincipalName | where UserPrincipalName has_any (list_of_terminated_employeed) And you need to ensure that the Microsoft Sentinel Workspace has the retention for the time period you are looking for,

‎Jan 03 2024

Highly suggest using a Watchlist to store the terminated employees. There is a template for it and, with the help of a Logic App that queries the Graph API, you can keep it up to date automatically.

‎Jan 07 2024

Are you able to share the template and likely Logic app that queries the Graph API?

‎Jan 08 2024

@EIS

Watchlist template is available is Microsoft Sentinel

and here is an example of logic app for watchlist automation

New watchlist actions available for watchlist automation using Microsoft Sentinel SOAR - Microsoft C...

Terminated User Logons in Sentinel Query

Terminated User Logons in Sentinel Query

Re: Terminated User Logons in Sentinel Query

Re: Terminated User Logons in Sentinel Query

Re: Terminated User Logons in Sentinel Query

Re: Terminated User Logons in Sentinel Query

Products (47)

Special Topics (23)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Terminated User Logons in Sentinel Query

Terminated User Logons in Sentinel Query

Re: Terminated User Logons in Sentinel Query

Re: Terminated User Logons in Sentinel Query

Re: Terminated User Logons in Sentinel Query

Re: Terminated User Logons in Sentinel Query