KQL Search

Query Details

HomeAI ToolsDevice Query

DCA Pivot Table Admin Actions

Query

//Create a pivot table of all actions in Defender for Cloud Apps by your privileged users over the last 7 days
//Lookup the IdentityInfo table for any users holding a privileged role

//Data connector required for this query - M365 Defender - CloudAppEvents

//Microsoft Sentinel query
let privusers=
    IdentityInfo
    | where TimeGenerated > ago(21d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    //Add any roles that you are interested in auditing
    | where AssignedRoles has_any ("Global Administrator", "Security Administrator", "SharePoint Administrator")
    | distinct AccountUPN;
CloudAppEvents
| where TimeGenerated > ago(7d)
| extend Operation = tostring(RawEventData.Operation)
| extend UserId = tostring(RawEventData.UserId)
| extend Workload = tostring(RawEventData.Workload)
//Create a new column that adds workload and operation together to make the events more readable
| extend Activity = strcat(Workload, " - ", Operation)
| where UserId in~ (privusers)
//Create pivot table of all actions by each user
| evaluate pivot(Activity, count(), UserId)

//Advanced hunting query

//Data connector required for this query - Advanced Hunting license

CloudAppEvents
| where Timestamp > ago(7d)
| extend Operation = tostring(RawEventData.Operation)
| extend UserId = tostring(RawEventData.UserId)
| extend Workload = tostring(RawEventData.Workload)
//Advanced hunting doesn't retain role information about users, but you can add a list of users in manually to create a table
| where UserId in~ ("[email protected]", "[email protected]")
//Create a new column that adds workload and operation together to make the events more readable
| extend Activity = strcat(Workload, " - ", Operation)
//Create pivot table of all actions by each user
| evaluate pivot(Activity, count(), UserId)

Explanation

The query is looking to create a pivot table that shows all actions performed by privileged users in Defender for Cloud Apps over the last 7 days. It also looks up the IdentityInfo table to find users holding privileged roles. The query uses the CloudAppEvents data connector and filters the events based on the specified time range and privileged users. It then creates a pivot table that counts the number of actions for each user. The second part of the query is an advanced hunting query that performs a similar analysis but doesn't have access to role information. Instead, it manually specifies a list of users to include in the analysis.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

CloudAppEventsIdentityInfo

Keywords

Devices,Intune,User,IdentityInfo,AccountUPN,AssignedRoles,CloudAppEvents,TimeGenerated,RawEventData,Operation,UserId,Workload,Activity,privusers,Timestamp

Operators

wheresummarizearg_maxbywherehas_anydistinctextendtostringin~evaluatepivotcount()

Actions