Query Details
Identity Info Visualize Blast Radius
Query
//Visualize accounts by blast radius level //Data connector required for this query - Microsoft Sentinel UEBA IdentityInfo | where TimeGenerated > ago(30d) | summarize arg_max(TimeGenerated, *) by AccountUPN | where isnotempty(BlastRadius) | summarize Count=count()by BlastRadius | order by Count | render piechart with (title="Accounts by Microsoft Sentinel EUBA blast radius")
Explanation
This query is used to visualize accounts based on their blast radius level. It requires the Microsoft Sentinel UEBA data connector.
The query filters the IdentityInfo data for the past 30 days and selects the latest record for each AccountUPN. It then filters out accounts without a blast radius value. The query then counts the number of accounts for each blast radius level, orders them, and renders a pie chart with the title "Accounts by Microsoft Sentinel UEBA blast radius".
Details
Matt Zorich
Released: June 28, 2022
Tables
IdentityInfo
Keywords
Accounts,BlastRadius,Microsoft,Sentinel,UEBA
Operators
whereagosummarizearg_maxbyisnotemptyorder byrender