Query Details
DCA Paid Trial Started
Query
//Alert when a user starts a paid trial of a M365 product //Data connector required for this query - M365 Defender - CloudAppEvents CloudAppEvents | extend Operation = tostring(RawEventData.Operation) | where Operation == "StartAPaidTrial" | extend UserId = tostring(RawEventData.UserId) | extend LicenseDisplayName = tostring(RawEventData.LicenseDisplayName) | extend Workload = tostring(RawEventData.Workload) | project TimeGenerated, Operation, UserId, LicenseDisplayName, Workload
Explanation
This query looks for events where a user starts a paid trial of a Microsoft 365 product. It uses the M365 Defender - CloudAppEvents data connector to retrieve the necessary data. The query filters the events based on the "StartAPaidTrial" operation and extracts information such as the user ID, license display name, and workload. The final result includes the time the event was generated, the operation, user ID, license display name, and workload.
Details
Matt Zorich
Released: June 17, 2022
Tables
CloudAppEvents
Keywords
CloudAppEvents,RawEventData,Operation,StartAPaidTrial,UserId,LicenseDisplayName,Workload,TimeGenerated
Operators
extendwhereproject