KQL Search

Query Details

HomeAI ToolsDevice Query

Deleted Mail Items Monitoring

Query

//This query tracks deleted mail items for specific users
//Provides details about folder paths and affected email subjects
OfficeActivity
| where TimeGenerated > ago(30d)
| where UserId contains "[email protected]"
| extend FolderDynamic = todynamic(Folder)
| extend DestFolderDynamic = todynamic(DestFolder)
| extend FolderPath = tostring(FolderDynamic["Path"])
| extend DestFolderPath = tostring(DestFolderDynamic["Path"])
| extend AffectedItemsDynamic = todynamic(AffectedItems)
| extend AffectedItemsSubject = tostring(AffectedItemsDynamic[0]["Subject"])
| extend AffectedItemsParentFolder = tostring(AffectedItemsDynamic[0]["ParentFolder"]["Path"])
| project TimeGenerated, RecordType, Operation, OfficeWorkload, UserId, ClientProcessName, FolderPath, DestFolderPath, AffectedItemsSubject, AffectedItemsParentFolder, ItemType, EventSource, SourceRelativeUrl, SourceFileName, SourceFileExtension

Explanation

This query is designed to monitor and report on deleted email items for specific users within the last 30 days. It focuses on extracting and displaying details such as the folder paths and the subjects of the affected emails. Here's a breakdown of what the query does:

  1. Data Source: It uses the OfficeActivity table to gather data.

  2. Time Filter: It only considers activities that occurred in the last 30 days.

  3. User Filter: It specifically looks for activities related to users whose user IDs contain "[email protected]".

  4. Data Extraction:

    • Converts the Folder and DestFolder fields into dynamic data types to extract folder paths.
    • Extracts the path of the original folder (FolderPath) and the destination folder (DestFolderPath).
    • Converts the AffectedItems field into a dynamic data type to extract details about the affected email items.
    • Retrieves the subject of the first affected email item (AffectedItemsSubject).
    • Retrieves the path of the parent folder of the first affected email item (AffectedItemsParentFolder).

  5. Output: It selects and displays specific columns, including the time of the event, type of record, operation performed, workload, user ID, client process name, folder paths, email subject, parent folder path, item type, event source, and file details.

In summary, this query helps track and analyze deleted emails for certain users by providing detailed information about the folders and email subjects involved.

Details

Muzammil Mahmood profile picture

Muzammil Mahmood

Released: November 10, 2024

Tables

OfficeActivity

Keywords

OfficeActivityUserFolderPathEmailSubjectItemEventSource

Operators

wherecontainsextendtodynamictostringproject

Actions