Query Details

List the top 10 accounts that have the most impersonators

Most Impersonators By Account

Query

CloudAppEvents
| where IsImpersonated == 1
| extend
     MailboxOwnerUPN = tostring(parse_json(RawEventData).MailboxOwnerUPN),
     ActionPerformedBy = tostring(parse_json(RawEventData).UserId)
| where MailboxOwnerUPN != ActionPerformedBy
| summarize Impersonators = make_set(ActionPerformedBy) by MailboxOwnerUPN
| extend TotalImpersonators = array_length(Impersonators)
| top 10 by TotalImpersonators

About this query

List the top 10 accounts that have the most impersonators

Query Information

Description

This query lists the top 10 accounts that have performed the most imporsonated users. The definiation for this field is: Indicates whether the activity was performed by one user for another (impersonated) user.

Defender XDR

Sentinel

CloudAppEvents
| where IsImpersonated == 1
| extend
     MailboxOwnerUPN = tostring(parse_json(RawEventData).MailboxOwnerUPN),
     ActionPerformedBy = tostring(parse_json(RawEventData).UserId)
| where MailboxOwnerUPN != ActionPerformedBy
| summarize Impersonators = make_set(ActionPerformedBy) by MailboxOwnerUPN
| extend TotalImpersonators = array_length(Impersonators)
| top 10 by TotalImpersonators

Explanation

This query is designed to identify the top 10 user accounts that have been impersonated the most. Here's a simple breakdown of what the query does:

  1. Filter Impersonated Events: It starts by filtering events where an action was performed by one user on behalf of another, indicating impersonation.

  2. Extract Relevant Information: For each event, it extracts the email address of the account owner (MailboxOwnerUPN) and the user who performed the action (ActionPerformedBy).

  3. Exclude Self-Actions: It ensures that the action was not performed by the account owner themselves, focusing only on true impersonation cases.

  4. Identify Unique Impersonators: It groups the data by the account owner and creates a list of unique users who have impersonated each account.

  5. Count Impersonators: It calculates the total number of unique impersonators for each account.

  6. Rank Accounts: Finally, it sorts the accounts based on the number of impersonators and selects the top 10 accounts with the most impersonators.

In summary, this query helps identify which accounts are most frequently targeted for impersonation, providing insights into potential security risks.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsMailboxOwnerUPNActionPerformedByImpersonators

Operators

whereextendtostringparse_jsonsummarizemake_setbyarray_lengthtop

Actions

GitHub