KQL Search

Query Details

HomeAI ToolsDevice Query

Display Teams Participation Duration Of Account Associated With A Suspicious IP Address

Query

//Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
CloudAppEvents
| where ActionType == 'MeetingParticipantDetail'
| extend clientip = tostring(RawEventData.ClientIP)
| extend meeting_id = tostring(RawEventData.MeetingDetailId)
| extend join_time = todatetime(RawEventData.JoinTime)
| extend leave_time = todatetime(RawEventData.LeaveTime)
| extend min_duration = datetime_diff('minute',leave_time,join_time)
| where clientip == 'x.x.x.x' //Replace with suspicious IP
| project AccountDisplayName, meeting_id, join_time,leave_time,min_duration

Explanation

This query is designed to analyze cloud application events, specifically focusing on meeting participation details. Here's a simple breakdown of what it does:

  1. Source Data: It starts by looking at data from CloudAppEvents.

  2. Filter by Action Type: It filters the events to only include those where the action type is 'MeetingParticipantDetail', which means it is interested in details about participants in meetings.

  3. Extract and Convert Data:

    • It extracts the client's IP address, meeting ID, join time, and leave time from the raw event data.
    • It converts these extracted values into appropriate data types (e.g., strings for IP and meeting ID, datetime for join and leave times).

  4. Calculate Duration: It calculates the duration of each participant's presence in the meeting in minutes by finding the difference between the leave time and join time.

  5. Filter by IP Address: It further filters the results to only include events where the client's IP address matches a specific suspicious IP address (represented as 'x.x.x.x' in the query).

  6. Select Specific Fields: Finally, it selects and displays specific fields: the account display name, meeting ID, join time, leave time, and the calculated duration in minutes.

In summary, this query helps identify and analyze meeting participation details for a specific IP address, focusing on how long the participant was in the meeting and other related details.

Details

Jay Kerai profile picture

Jay Kerai

Released: January 20, 2025

Tables

CloudAppEvents

Keywords

CloudAppEventsMeetingParticipantDetailClientIPMeetingDetailIdJoinTimeLeaveTimeAccountDisplayName

Operators

where==extendtostringtodatetimedatetime_diff'minute'project

Actions