Query Details
Audit Daily Summaryof O365admin Activity
Query
//Create a daily summary of activities completed by your O365 admins
//Data connector required for this query - Office 365
//Data connector required for this query - Microsoft Sentinel UEBA
let timerange=14d;
IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles has_any ("Global Administrator", "Exchange Administrator", "Teams Administrator", "SharePoint Administrator")
| project UserId=AccountUPN
| join kind=inner (
OfficeActivity
| where TimeGenerated > ago(timerange)
)
on UserId
| summarize AdminActivities=make_list(Operation)by UserId, startofday(TimeGenerated)Explanation
This query creates a daily summary of activities completed by Office 365 admins. It uses data connectors for Office 365 and Microsoft Sentinel UEBA. The query retrieves data for the past 21 days and filters for admins with specific roles. It then joins the IdentityInfo and OfficeActivity tables based on the user ID and summarizes the admin activities by user and start of the day.
Details
Matt Zorich
Released: June 17, 2022
Tables
IdentityInfoOfficeActivity
Keywords
IdentityInfo,AccountUPN,AssignedRoles,GlobalAdministrator,ExchangeAdministrator,TeamsAdministrator,SharePointAdministrator,UserId,OfficeActivity,TimeGenerated,Operation,AdminActivities
Operators
wheresummarizearg_maxbyhas_anyprojectjoininnermake_list