Query Details
Endpoint User Account Created
Query
name : Tracking daily "UserAccountCreated" activities
table :
- DeviceEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide
query: |
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == "UserAccountCreated"
| summarize List = make_list(strcat(DeviceId, " - ", DeviceName,
"| ", InitiatingProcessAccountDomain, @"\", InitiatingProcessAccountName,
"| ", AccountDomain, @"\", AccountName)) by bin(Timestamp, 1d)
| extend Case = array_length(List)
| project Timestamp, Case, List
Explanation
The query is tracking daily activities related to the creation of user accounts. It is using the DeviceEvents table and filtering for events where the ActionType is "UserAccountCreated" within the last 30 days. The query then summarizes the data by creating a list of information including DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, and AccountName. The data is grouped by day and the number of items in each group is stored in the "Case" column. The final result includes the Timestamp, Case, and List columns.
Details
Kijo Girardi
Released: May 23, 2023
Tables
DeviceEvents
Keywords
DeviceEvents,Timestamp,ActionType,UserAccountCreated,DeviceId,DeviceName,InitiatingProcessAccountDomain,InitiatingProcessAccountName,AccountDomain,AccountName,List,Case
Operators
toscalar()
arg_max()
count()
mv-expand