List the top 100 accounts that have performed the most impersonated actions
Accounts With Most Impersonated Actions
Query
CloudAppEvents
| where IsImpersonated == 1
| extend
MailboxOwnerUPN = tostring(parse_json(RawEventData).MailboxOwnerUPN),
ActionPerformedBy = tostring(parse_json(RawEventData).UserId)
| where MailboxOwnerUPN != ActionPerformedBy
| summarize
TotalImpersonatedActivities = count(),
Impersonators = make_set(ActionPerformedBy),
PerformedActions = make_set(ActionType)
by MailboxOwnerUPN
| top 100 by TotalImpersonatedActivitiesAbout this query
List the top 100 accounts that have performed the most impersonated actions
Query Information
Description
This query lists the top 100 accounts that have performed the most imporsonated actions. The definiation for this field is: Indicates whether the activity was performed by one user for another (impersonated) user.
Defender XDR
Sentinel
CloudAppEvents
| where IsImpersonated == 1
| extend
MailboxOwnerUPN = tostring(parse_json(RawEventData).MailboxOwnerUPN),
ActionPerformedBy = tostring(parse_json(RawEventData).UserId)
| where MailboxOwnerUPN != ActionPerformedBy
| summarize
TotalImpersonatedActivities = count(),
Impersonators = make_set(ActionPerformedBy),
PerformedActions = make_set(ActionType)
by MailboxOwnerUPN
| top 100 by TotalImpersonatedActivities
Explanation
This query is designed to identify the top 100 user accounts that have had the most actions performed on their behalf by other users, indicating impersonation activities. Here's a simple breakdown of what the query does:
-
Filter for Impersonated Actions: It starts by filtering events where an action was marked as impersonated (
IsImpersonated == 1), meaning the action was performed by one user on behalf of another. -
Extract Relevant Information: It extracts the email address of the account owner (
MailboxOwnerUPN) and the user who performed the action (ActionPerformedBy) from the event data. -
Exclude Self-Performed Actions: It ensures that the actions considered are truly impersonated by checking that the account owner is not the same as the user performing the action.
-
Summarize Data: For each account owner, it counts the total number of impersonated actions, lists the users who performed these actions, and records the types of actions performed.
-
Rank Accounts: Finally, it sorts these accounts by the number of impersonated actions and selects the top 100 accounts with the highest counts.
This query helps in identifying potential security concerns by highlighting accounts that are frequently targeted for impersonation.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators