Query Details
When UEB Awas Enabled By Who
Query
//When UEBA was enabled and by who AzureActivity | where Properties_d has "microsoft.securityinsights/ueba" | extend WhoDidIt = Caller | project WhoDidIt, CallerIpAddress, EventSubmissionTimestamp
Explanation
This query looks for Azure activity related to enabling User and Entity Behavior Analytics (UEBA). It filters the results to show who enabled UEBA, their IP address, and the timestamp of the event.
Details
Rod Trent
Released: February 2, 2021
Tables
AzureActivity
Keywords
AzureActivity,Properties_d,WhoDidIt,Caller,CallerIpAddress,EventSubmissionTimestamp
Operators
wherehasextendproject