Query Details

App Governance

App G App Activities

Query

// Find all the activities involving the cloud app in last 30 days
let now = now();
let appid = (i : dynamic )
{
    case
    (
        i.Workload == "SharePoint", i.ApplicationId,
        i.Workload == "Exchange", iff(isempty(i.ClientAppId), i.AppId, i.ClientAppId),
        i.Workload == "OneDrive", i.ApplicationId,
        i.Workload == "MicrosoftTeams", i.AppAccessContext.ClientAppId,
        "Unknown"
    )
};
CloudAppEvents
| where ((RawEventData.Workload ==  "SharePoint" or RawEventData.Workload == "OneDrive") and (ActionType == "FileUploaded" or ActionType == "FileDownloaded")) or (RawEventData.Workload == "Exchange" and (ActionType == "Send" or ActionType == "MailItemsAccessed")) or (RawEventData.Workload == "MicrosoftTeams" and (ActionType == "MessagesListed" or ActionType == "MessageRead" or ActionType == "MessagesExported" or ActionType == "MessageSent"))
| extend AppId = appid(RawEventData)
| where AppId == "<APP ID HERE >"
| where Timestamp between (datetime("2023-05-07 00:00:00Z")..30d)
| extend tostring(RawEventData.Id)
| summarize arg_max(Timestamp, *) by RawEventData_Id
| sort by Timestamp desc
| project Timestamp, OAuthApplicationId = AppId, ReportId, AccountId, AccountObjectId, AccountDisplayName, IPAddress, UserAgent, Workload = tostring(RawEventData.Workload), ActionType, SensitivityLabel = tostring(RawEventData.SensitivityLabelId), tostring(RawEventData)
| limit 1000

About this query

App Governance

Query Information

Description

Find all the activities involving the cloud app in last 30 days

Microsoft 365 Defender

Explanation

This KQL query is designed to retrieve and summarize activities involving a specific cloud application over the past 30 days. Here's a simple breakdown of what the query does:

  1. Define Current Time: It starts by setting the current time to a variable called now.

  2. Determine Application ID: It defines a function to determine the application ID (appid) based on the workload type (e.g., SharePoint, Exchange, OneDrive, Microsoft Teams).

  3. Filter Events: It filters events from the CloudAppEvents table based on specific conditions:

    • For SharePoint and OneDrive, it looks for file upload or download actions.
    • For Exchange, it looks for email sending or access actions.
    • For Microsoft Teams, it looks for message-related actions (listed, read, exported, sent).
  4. Match Specific App ID: It further filters these events to only include those associated with a specific application ID (<APP ID HERE>).

  5. Time Range: It restricts the results to events that occurred within the last 30 days from a specified start date (2023-05-07).

  6. Summarize and Sort: It summarizes the data to get the most recent event for each unique event ID, sorts the results by timestamp in descending order, and limits the output to 1000 records.

  7. Select Columns: Finally, it selects and projects specific columns for the output, including timestamp, application ID, report ID, account details, IP address, user agent, workload, action type, and sensitivity label.

This query is useful for monitoring and analyzing activities related to a specific cloud application within a Microsoft 365 environment.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

CloudAppEvents

Keywords

CloudAppEventsSharePointExchangeOneDriveMicrosoftTeamsFileUploadedDownloadedSendMailItemsAccessedMessagesListedMessageReadExportedSentTimestampOAuthApplicationIdReportAccountObjectDisplayNameIPAddressUserAgentWorkloadActionTypeSensitivityLabel

Operators

letnowcaseiffisemptyorandextendwherebetweendatetimesummarizearg_maxbysortdescprojecttostringlimit

Actions

GitHub