KQL Search

Query Details

HomeAI ToolsDevice Query

Office Activity New Teams App Installed

Query

//Detect when an app is installed into Teams for the first time compared to the previous timerange

//Data connector required for this query - Office 365

let knownapps=
    OfficeActivity
    | where TimeGenerated > ago(180d) and TimeGenerated < ago(7d)
    | where OfficeWorkload == "MicrosoftTeams"
    | where Operation == "AppInstalled"
    | distinct AzureADAppId;
OfficeActivity
| where TimeGenerated > ago (7d)
| where OfficeWorkload == "MicrosoftTeams"
| where Operation == "AppInstalled"
| where AzureADAppId !in (knownapps)
| project TimeGenerated, UserId, AddonName, AzureADAppId

Explanation

This query is looking for instances where an app is installed into Microsoft Teams for the first time compared to the previous time range. It uses the Office 365 data connector and filters the OfficeActivity table.

First, it creates a variable called "knownapps" by selecting distinct AzureADAppId values from the OfficeActivity table within the last 180 days but not within the last 7 days.

Then, it selects records from the OfficeActivity table within the last 7 days where the OfficeWorkload is "MicrosoftTeams" and the Operation is "AppInstalled". It filters out any records where the AzureADAppId is already in the "knownapps" variable.

The final result includes the TimeGenerated, UserId, AddonName, and AzureADAppId columns.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

OfficeActivity

Keywords

Devices,Intune,User,OfficeActivity,TimeGenerated,OfficeWorkload,Operation,AppInstalled,AzureADAppId,UserId,AddonName

Operators

letwhereagoanddistinctinproject

Actions