KQL Search

Query Details

HomeAI ToolsDevice Query

Purview Audit Search Monitoring

Query

//This query monitors Purview Audit searches in your tenant
//Helps track who is performing searches and what parameters they're using
//Important for monitoring potential insider threats
CloudAppEvents
// | sort by Timestamp asc - For lifecycle of a specific search
| where ActionType startswith "AuditSearch"
| extend CreationTime = RawEventData.CreationTime
| extend Operation = RawEventData.Operation
| extend SearchJobId = RawEventData.SearchJobId
// | where SearchJobId = [GUID] - For lifecycle of a specific search
| extend SearchJobName = RawEventData.SearchJobName
| extend RecordType = RawEventData.RecordType
| extend SearchFilters = RawEventData.SearchFilters
| project CreationTime, RecordType, Operation, SearchJobId, SearchJobName, SearchFilters

Explanation

This query is designed to monitor audit searches within your organization's Purview environment. It focuses on identifying who is conducting these searches and the parameters they are using, which is crucial for detecting potential insider threats. Here's a breakdown of what the query does:

  1. Data Source: It pulls data from CloudAppEvents, which contains logs of various cloud application activities.

  2. Filter: The query filters events to only include those where the ActionType starts with "AuditSearch". This means it is specifically looking at audit search activities.

  3. Data Extraction: It extracts several pieces of information from the raw event data:

    • CreationTime: When the search was created.
    • Operation: The type of operation performed.
    • SearchJobId: A unique identifier for the search job.
    • SearchJobName: The name of the search job.
    • RecordType: The type of record involved.
    • SearchFilters: The filters used in the search.

  4. Projection: Finally, it selects and displays only the extracted fields: CreationTime, RecordType, Operation, SearchJobId, SearchJobName, and SearchFilters.

This query helps in tracking and analyzing audit search activities to ensure security and compliance within the organization.

Details

Purav profile picture

Purav

Released: November 10, 2024

Tables

CloudAppEvents

Keywords

CloudAppEvents

Operators

|wherestartswithextendproject

Actions