KQL Search

Query Details

HomeAI ToolsDevice Query

Accounts With Most Impersonated Actions

Query

# List the top 100 accounts that have performed the most impersonated actions

### Defender For Endpoint

```
CloudAppEvents
| where IsImpersonated == 1
| extend
     MailboxOwnerUPN = tostring(parse_json(RawEventData).MailboxOwnerUPN),
     ActionPerformedBy = tostring(parse_json(RawEventData).UserId)
| where MailboxOwnerUPN != ActionPerformedBy
| summarize
     TotalImpersonatedActivities = count(),
     Impersonators = make_set(ActionPerformedBy),
     PerformedActions = make_set(ActionType)
     by MailboxOwnerUPN
| top 100 by TotalImpersonatedActivities
```
### Sentinel
```
CloudAppEvents
| where IsImpersonated == 1
| extend
     MailboxOwnerUPN = tostring(parse_json(RawEventData).MailboxOwnerUPN),
     ActionPerformedBy = tostring(parse_json(RawEventData).UserId)
| where MailboxOwnerUPN != ActionPerformedBy
| summarize
     TotalImpersonatedActivities = count(),
     Impersonators = make_set(ActionPerformedBy),
     PerformedActions = make_set(ActionType)
     by MailboxOwnerUPN
| top 100 by TotalImpersonatedActivities
```

Explanation

The query lists the top 100 accounts that have performed the most impersonated actions in either Defender for Endpoint or Sentinel. It filters the CloudAppEvents data to only include events where impersonation has occurred. It then extracts the MailboxOwnerUPN and ActionPerformedBy values from the RawEventData field. It filters out any events where the MailboxOwnerUPN is the same as the ActionPerformedBy. It then summarizes the data by MailboxOwnerUPN, counting the total number of impersonated activities and creating sets of impersonators and performed actions. Finally, it selects the top 100 accounts based on the total number of impersonated activities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 14, 2023

Tables

CloudAppEvents

Keywords

CloudAppEvents,IsImpersonated,RawEventData,MailboxOwnerUPN,ActionPerformedBy,UserId,ActionType,TotalImpersonatedActivities,Impersonators,PerformedActions

Operators

CloudAppEventswhereIsImpersonated==1extendMailboxOwnerUPN=tostring(parse_json(RawEventData).MailboxOwnerUPN),ActionPerformedBy=tostring(parse_json(RawEventData).UserId)whereMailboxOwnerUPN!=ActionPerformedBysummarizeTotalImpersonatedActivities=count(),Impersonators=make_set(ActionPerformedBy),PerformedActions=make_set(ActionType)byMailboxOwnerUPNtop100byTotalImpersonatedActivities

Actions