Visualisation of operations that have been seen in the Cloud App logs in the last 30 days
Visualization Operations Performed
Query
CloudAppEvents
| where TimeGenerated > ago(30d)
| extend Operation = tostring(parse_json(RawEventData).Operation)
| where Operation != "CrmDefaultActivity" //Filter Dynamics 365 activities.
| summarize count() by Operation
| render piechart with(title="Operations last 30 days")About this query
Visualisation of operations that have been seen in the Cloud App logs in the last 30 days
Defender XDR
CloudAppEvents
| where Timestamp > ago(30d)
| extend Operation = tostring(parse_json(RawEventData).Operation)
| where Operation != "CrmDefaultActivity" //Filter Dynamics 365 activities.
| summarize count() by Operation
| render piechart with(title="Operations last 30 days")
Sentinel
Explanation
This query is designed to create a pie chart visualization of different operations recorded in Cloud App logs over the past 30 days. Here's a simplified breakdown:
-
Data Source: The query pulls data from
CloudAppEvents, which contains logs of operations performed in cloud applications. -
Time Frame: It filters the logs to include only those from the last 30 days.
-
Extract Operation: It extracts the specific operation performed from the
RawEventDatafield and converts it to a string for easier handling. -
Exclude Specific Activity: It excludes operations labeled as "CrmDefaultActivity" to filter out certain Dynamics 365 activities that are not of interest.
-
Count Operations: It counts the number of occurrences of each operation type.
-
Visualization: The results are displayed as a pie chart titled "Operations last 30 days," showing the distribution of different operations over the specified period.
The query is essentially the same for both Defender XDR and Sentinel, focusing on visualizing cloud app operations while excluding certain Dynamics 365 activities.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators