KQL Search

Query Details

HomeAI ToolsDevice Query

Anomalies Anomalous User Activities In Office Exchange

Query

Anomalies
| where RuleName endswith "Anomalous user activities in Office Exchange" and RuleStatus != "Flighting"
| extend
    Query = ExtendedLinks[0]["DetailBladeInputs"]
| project
    TimeGenerated,
    RuleName,
    Description,
    Query,
    UserPrincipalName,
    Score,
    AnomalyDetails,
    Entities,
    Tactics,
    Techniques,
    ExtendedLinks

Explanation

This query is looking for anomalies related to user activities in Office Exchange. It filters out any anomalies that are in the "Flighting" status. It then extends the query to include the detailed inputs for the anomaly. Finally, it projects various fields such as the time generated, rule name, description, query, user principal name, score, anomaly details, entities, tactics, techniques, and extended links.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: January 11, 2023

Tables

Anomalies

Keywords

Anomalies,RuleName,RuleStatus,Query,TimeGenerated,Description,UserPrincipalName,Score,AnomalyDetails,Entities,Tactics,Techniques,ExtendedLinks

Operators

whereendswith!=extendproject

Actions