KQL Search

Query Details

HomeAI ToolsDevice Query

New Admins

Query

//Discover new admin account activity 

let starttime = 14d;
  let endtime = 1d;
  let historicalActivity=
  OfficeActivity
  | where TimeGenerated between(ago(starttime)..ago(endtime))
  | where RecordType=="ExchangeAdmin" and UserType in ("Admin","DcAdmin")
  | summarize historicalCount=count() by UserId;
  let recentActivity = OfficeActivity
  | where TimeGenerated > ago(endtime)
  | where UserType in ("Admin","DcAdmin")
  | summarize recentCount=count() by UserId;
  recentActivity | join kind = leftanti (
     historicalActivity
  ) on UserId
  | project UserId,recentCount
  | order by recentCount asc, UserId
  | join kind = rightsemi 
  (OfficeActivity 
  | where TimeGenerated >= ago(endtime) 
  | where RecordType == "ExchangeAdmin" | where UserType in ("Admin","DcAdmin")) 
  on UserId
  | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by RecordType, Operation, UserType, UserId, OriginatingServer, ResultStatus
  | extend timestamp = StartTime, AccountCustomEntity = UserId
  | project AccountCustomEntity

Explanation

The query is looking for new admin account activity in OfficeActivity. It first calculates the historical activity count for admin and DcAdmin users within a specific time range. Then it calculates the recent activity count for the same user types within a different time range. It joins the recent activity with the historical activity to find new admin account activity. It then selects and orders the relevant columns and joins it with OfficeActivity data to get additional details. Finally, it summarizes the data and projects the AccountCustomEntity column.

Details

Rod Trent profile picture

Rod Trent

Released: November 5, 2021

Tables

OfficeActivity

Keywords

Admin,DcAdmin,ExchangeAdmin,OfficeActivity,RecordType,TimeGenerated,UserType,UserId,OriginatingServer,ResultStatus

Operators

betweenagowhereandinsummarizecountjoinkindonprojectorder byrightsemimaxminextend

Actions