Query Details
Most Impersonators By Account
Query
# List the top 10 accounts that have the most impersonators
### Defender For Endpoint
```
CloudAppEvents
| where IsImpersonated == 1
| extend
MailboxOwnerUPN = tostring(parse_json(RawEventData).MailboxOwnerUPN),
ActionPerformedBy = tostring(parse_json(RawEventData).UserId)
| where MailboxOwnerUPN != ActionPerformedBy
| summarize Impersonators = make_set(ActionPerformedBy) by MailboxOwnerUPN
| extend TotalImpersonators = array_length(Impersonators)
| top 10 by TotalImpersonators
```
### Sentinel
```
CloudAppEvents
| where IsImpersonated == 1
| extend
MailboxOwnerUPN = tostring(parse_json(RawEventData).MailboxOwnerUPN),
ActionPerformedBy = tostring(parse_json(RawEventData).UserId)
| where MailboxOwnerUPN != ActionPerformedBy
| summarize Impersonators = make_set(ActionPerformedBy) by MailboxOwnerUPN
| extend TotalImpersonators = array_length(Impersonators)
| top 10 by TotalImpersonators
```
Explanation
The query lists the top 10 accounts that have the most impersonators. It filters the CloudAppEvents data to only include events where impersonation occurred. It then extracts the MailboxOwnerUPN and ActionPerformedBy values from the RawEventData field. It filters out any events where the MailboxOwnerUPN and ActionPerformedBy values are the same. It groups the data by MailboxOwnerUPN and creates a set of unique impersonators for each account. It calculates the total number of impersonators for each account and selects the top 10 accounts with the highest number of impersonators.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
CloudAppEvents
Keywords
CloudAppEvents,IsImpersonated,RawEventData,MailboxOwnerUPN,ActionPerformedBy,make_set,summarize,array_length,top10,TotalImpersonators
Operators
whereextendtostringparse_jsonsummarizemake_setbyarray_lengthtop