Query Details
Visualization Operations Performed
Query
# Visualisation of operations that have been seen in the Cloud App logs in the last 30 days ### Defender For Endpoint ``` CloudAppEvents | where Timestamp > ago(30d) | extend Operation = tostring(parse_json(RawEventData).Operation) | where Operation != "CrmDefaultActivity" //Filter Dynamics 365 activities. | summarize count() by Operation | render piechart with(title="Operations last 30 days") ``` ### Sentinel ``` CloudAppEvents | where TimeGenerated > ago(30d) | extend Operation = tostring(parse_json(RawEventData).Operation) | where Operation != "CrmDefaultActivity" //Filter Dynamics 365 activities. | summarize count() by Operation | render piechart with(title="Operations last 30 days") ```
Explanation
The query retrieves and visualizes the operations recorded in the Cloud App logs in the past 30 days. It excludes Dynamics 365 activities and presents the operations in a pie chart. The query is executed separately for Defender for Endpoint and Sentinel.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
CloudAppEvents
Keywords
CloudAppEvents,Timestamp,ago,RawEventData,Operation,CrmDefaultActivity,summarize,render,piechart,title,TimeGenerated
Operators
whereagoextendtostringparse_jsonsummarizebyrender