KQL Search

Query Details

HomeAI ToolsDevice Query

External Admin Activities

Query

# List the external admin activities

### Defender For Endpoint

```
CloudAppEvents
| where IsExternalUser == 1 and AccountType == "Admin"
| summarize
      TotalActivities = count(),
      ActionsPerformed = make_set(ActionType),
      Applications = make_set(Application),
      IPsUsed = make_set(IPAddress)
      by AccountId
| sort by TotalActivities
```
### Sentinel
```
CloudAppEvents
| where IsExternalUser == 1 and AccountType == "Admin"
| summarize
      TotalActivities = count(),
      ActionsPerformed = make_set(ActionType),
      Applications = make_set(Application),
      IPsUsed = make_set(IPAddress)
      by AccountId
| sort by TotalActivities
```

Explanation

This query lists the external admin activities in both Defender for Endpoint and Sentinel. It filters the CloudAppEvents data to include only external users who have an account type of "Admin". It then summarizes the data by counting the total activities for each account, creating sets of the actions performed, applications used, and IP addresses used. Finally, it sorts the results by the total number of activities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 14, 2023

Tables

CloudAppEvents

Keywords

Keywords:CloudAppEvents,IsExternalUser,AccountType,Admin,TotalActivities,ActionsPerformed,Applications,IPsUsed,AccountId,ActionType,Application,IPAddress,sort

Operators

whereandsummarizecountmake_setbysort

Actions