This function returns the RiskState of a UPN, if the results are empty then the user did not have a risky state in the last 90 days. This saves time to not having to lookup the user in Azure Active Directory, by leveraging a log analytics data which saves the content of the risk status of users.
// Function returns the RiskState of a UPN, if the results are empty then the user did not have a risky state in the last 90 days.
let UserRiskStatus = (UPN: string) {
| where Timestamp > ago(90d)
| where UserPrincipalName =~ UPN
| summarize arg_max(Timestamp, *) by UserPrincipalName
| project Timestamp, UserPrincipalName, RiskState, RiskLevel, RiskDetail
// Example
// Function returns the RiskState of a UPN, if the results are empty then the user did not have a risky state in the last 90 days.
let UserRiskStatus = (UPN: string) {
| where TimeGenerated > ago(90d)
| where UserPrincipalName =~ UPN
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project TimeGenerated, UserPrincipalName, RiskState, RiskLevel, RiskDetail
// Example