KQL Search

Query Details

Mail Items Accessed

Query

```KQL
union OfficeActivity, CloudAppEvents
| where TimeGenerated > ago(30d)
| extend Operation = coalesce(ActionType, Operation)
| where Operation == "MailItemsAccessed"
| summarize TotalEvents = count(), TotalCloudAppsEvents = countif(Type == "CloudAppEvents"), TotalUALEvents = countif(Type == "OfficeActivity") by bin(TimeGenerated, 1d)
| extend EqualLogs = iff(TotalCloudAppsEvents == TotalUALEvents, true, false)
```

Explanation

This query combines data from two sources, OfficeActivity and CloudAppEvents, filters for events related to accessing mail items, counts the total events, and categorizes them by day. It then compares the number of events from each source and determines if they are equal.

Details

Bert-Jan Pals

Released: June 27, 2024

Tables

OfficeActivityCloudAppEvents

Keywords

Devices,Intune,User

Operators

unionwhereextendsummarizecount()countif()bybiniff

KQL Search

Mail Items Accessed

Query

Explanation

Details

Actions