Query Details
Identity Info Find Accountswithsame Employee Id
Query
//Summarize accounts in our environment that have the same employee id (i.e regular and admin accounts) //Data connector required for this query - Microsoft Sentinel UEBA IdentityInfo | where TimeGenerated > ago(30d) | summarize arg_max(TimeGenerated, *) by AccountUPN | where isnotempty(EmployeeId) | summarize ['Count of accounts']=dcount(AccountUPN), ['List of accounts']=make_set(AccountUPN) by EmployeeId | sort by ['Count of accounts'] desc
Explanation
This query is summarizing the accounts in our environment that have the same employee ID. It uses the Microsoft Sentinel UEBA data connector. It filters the data for the past 30 days, finds the latest information for each account, removes empty employee IDs, and then counts the number of accounts and creates a list of those accounts for each employee ID. Finally, it sorts the results by the count of accounts in descending order.
Details
Matt Zorich
Released: June 28, 2022
Tables
IdentityInfo
Keywords
Summarize,Accounts,Environment,EmployeeId,Regular,Admin,Data,Connector,Microsoft,Sentinel,UEBA,IdentityInfo,TimeGenerated,AccountUPN,isnotempty,Count,List,dcount,make_set,sort.
Operators
wheresummarizearg_maxbyisnotemptydcountmake_setsort