KQL Search

This KQL (Kusto Query Language) query is designed to analyze cloud application events. Here's a simple breakdown of what it does:

1. Source Table: It starts by looking at the CloudAppEvents table, which contains records of various actions performed in cloud applications.

2. Filter by ActionType: It filters the records to only include those where the ActionType is "SetAdvancedFeatures". This means it is interested in events where advanced features are being configured or modified.

3. Extract Specific Fields: It uses the extend function to extract two specific pieces of information from the RawEventData field:

   • SettingName: The name of the setting being changed.
   • SettingsNewValue: The new value that the setting is being changed to. Both are converted to strings for easier handling.

4. Filter by SettingName: It further narrows down the results to only include events where the SettingName is "Live Response unsigned script execution". This focuses the query on a specific advanced feature related to script execution.

5. Reorder Columns: Finally, it uses project-reorder to organize the output columns in a specific order: TimeGenerated, AccountId, ActionType, SettingName, and SettingsNewValue. This makes the output easier to read and analyze by prioritizing these fields.

In summary, this query identifies and organizes events where the "Live Response unsigned script execution" setting was changed, providing details about when it happened, who did it, and what the new setting value is.