Query Details

AzureActivity Compromised Account

Azure Azure Activity Compromised Account

Query

let CompromisedAccountUPN = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
AzureActivity
| where Caller =~ CompromisedAccountUPN
| where TimeGenerated > ago(SearchWindow)
| summarize TotalEvents = count() by OperationNameValue
| sort by TotalEvents desc

About this query

AzureActivity Compromised Account

Query Information

Description

This query list all the actions (ACTION, DELETE, WRITE, etc) by a compromised account.

Defender XDR

Sentinel

let CompromisedAccountUPN = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
AzureActivity
| where Caller =~ CompromisedAccountUPN
| where TimeGenerated > ago(SearchWindow)
| summarize TotalEvents = count() by OperationNameValue
| sort by TotalEvents desc 

Explanation

This query is designed to track and summarize the actions performed by a potentially compromised account within a specified time frame. Here's a simple breakdown:

  1. Compromised Account: The query is focused on a specific user account, identified by the email "[email protected]", which is suspected to be compromised.

  2. Time Frame: It looks at activities that occurred within the last 48 hours. This time frame can be adjusted as needed (e.g., changing hours to days).

  3. Data Source: The query examines the AzureActivity logs, which record various actions taken within Azure services.

  4. Filter and Summarize: It filters the logs to only include actions performed by the compromised account and counts the total number of each type of action (like ACTION, DELETE, WRITE, etc.).

  5. Sort: The results are sorted in descending order based on the number of times each action was performed, highlighting the most frequent actions.

Overall, this query helps identify what activities the compromised account has been involved in recently, which can be crucial for security investigations and responses.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: March 23, 2026

Tables

AzureActivity

Keywords

AzureActivityCompromisedAccountActionDeleteWriteOperationNameValueTotalEventsCallerTimeGenerated

Operators

let=~>ago()summarizecount()bysortdesc

Actions

GitHub