Office Activity Office Policytampering
Query
OfficeActivity
| where Operation has_any ("Remove", "Disable") and Operation matches regex @"(?i)AntiPhish|SafeAttachment|SafeLinks|Dlp|Audit(?-i)"
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]%]+)(%\d+)?\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
| project
TimeGenerated,
OfficeWorkload,
RecordType,
UserType,
UserId,
IPAddress = tostring(ClientIPValues[0]),
Operation,
ResultStatus,
ParametersExplanation
This query is looking at office activity data. It's specifically searching for operations that include either "Remove" or "Disable" and match certain keywords related to security features (AntiPhish, SafeAttachment, SafeLinks, Dlp, Audit). It's then extracting IP address and port information from the ClientIP field. The final output of the query will show the time the activity was generated, the office workload, record type, user type, user ID, IP address, operation, result status, and parameters.
Details

Jose Sebastián Canós
Released: January 3, 2023
Tables
OfficeActivity
Keywords
OfficeActivityOperationAntiPhishSafeAttachmentSafeLinksDlpAuditClientIPValuesIPAddressPortTimeGeneratedOfficeWorkloadRecordTypeUserTypeUserIdResultStatusParameters
Operators
wherehas_anymatchesregexextendextract_alldynamicprojecttostring