KQL Search

Query Details

HomeAI ToolsDevice Query

Office Activity Find New Operations

Query

//Find any new operations audited in Office 365 in the last 14 days vs the previous 180 days

//Data connector required for this query - Office 365

let existingoperations=
    OfficeActivity
    | where TimeGenerated > ago(180d) and TimeGenerated < ago(14d)
    | distinct Operation;
OfficeActivity
| where TimeGenerated > ago(14d)
| summarize arg_min(TimeGenerated, *) by Operation
| where Operation !in (existingoperations)
| project ['Time First Seen']=TimeGenerated, Operation, OfficeWorkload

Explanation

This query is looking for any new operations that have been audited in Office 365 in the last 14 days compared to the previous 180 days. It uses the Office 365 data connector. It first identifies the existing operations in the previous 180 days, then it looks for any new operations in the last 14 days that are not in the existing operations list. The result includes the time the new operation was first seen, the operation itself, and the Office workload it belongs to.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

OfficeActivity

Keywords

OfficeActivity,TimeGenerated,Operation,OfficeWorkload

Operators

whereago()distinct|summarizearg_min()byinproject

Actions