Using a KQL query how would someone pull login attempts to o365 from a user using the Sentinel SIEM? Logging in from the outside of an org into the Office.com portal?
I know the logs or login events are captured on MCAS - but id want to see more details in Sentinel.
