AzureActivity Compromised Account
Azure Azure Activity Compromised Account
Query
let CompromisedAccountUPN = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
AzureActivity
| where Caller =~ CompromisedAccountUPN
| where TimeGenerated > ago(SearchWindow)
| summarize TotalEvents = count() by OperationNameValue
| sort by TotalEvents descAbout this query
AzureActivity Compromised Account
Query Information
Description
This query list all the actions (ACTION, DELETE, WRITE, etc) by a compromised account.
Defender XDR
Sentinel
let CompromisedAccountUPN = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
AzureActivity
| where Caller =~ CompromisedAccountUPN
| where TimeGenerated > ago(SearchWindow)
| summarize TotalEvents = count() by OperationNameValue
| sort by TotalEvents desc
Explanation
This query is designed to track and summarize the actions performed by a potentially compromised account within a specified time frame. Here's a simple breakdown:
-
Compromised Account: The query is focused on a specific user account, identified by the email "[email protected]", which is suspected to be compromised.
-
Time Frame: It looks at activities that occurred within the last 48 hours. This time frame can be adjusted as needed (e.g., changing hours to days).
-
Data Source: The query examines the
AzureActivitylogs, which record various actions taken within Azure services. -
Filter and Summarize: It filters the logs to only include actions performed by the compromised account and counts the total number of each type of action (like ACTION, DELETE, WRITE, etc.).
-
Sort: The results are sorted in descending order based on the number of times each action was performed, highlighting the most frequent actions.
Overall, this query helps identify what activities the compromised account has been involved in recently, which can be crucial for security investigations and responses.
Details

Bert-Jan Pals
Released: March 23, 2026
Tables
Keywords
Operators