Merge pull request #8913 from eroll-chorus/login_dis_acct

Switch sign-in and deletion time comparison, and add ResultType sign-in filter for SuspiciousLoginfromDeletedExternalIdentities

Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml

@@ -38,11 +38,12 @@ query: |
   | join kind=inner (
       SigninLogs
       | where TimeGenerated > ago(query_period)
+      | where ResultType == 0
       | summarize take_any(*) by UserPrincipalName
       | extend ParsedUserPrincipalName = translate("@", "_", UserPrincipalName)
       | project SigninLogs_TimeGenerated = TimeGenerated, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails, AppDisplayName, ResourceDisplayName, ClientAppUsed, UserAgent, DeviceDetail, UserId, UserType, OriginalRequestId, ParsedUserPrincipalName
       ) on $left.ParsedDeletedUserPrincipalName == $right.ParsedUserPrincipalName
-  | where Delete_TimeGenerated > SigninLogs_TimeGenerated
+  | where SigninLogs_TimeGenerated > Delete_TimeGenerated
   | project-away ParsedDeletedUserPrincipalName, ParsedUserPrincipalName
   | extend
       AccountName = tostring(split(UserPrincipalName, "@")[0]),
@@ -58,7 +59,7 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
 metadata:
     source: