KQL Search

This query is designed to identify and analyze potentially risky behaviors by users within an organization by correlating anomalous insider risk behaviors with specific file events. Here's a simplified breakdown of what the query does:

1. Data Source: It uses two data tables: DataSecurityBehaviors and DataSecurityEvents.

2. Time Frame: It focuses on data from the past 7 days.

3. Anomalous Behaviors: It filters for behaviors marked as anomalous (IsAnomalous == 1) in the DataSecurityBehaviors table.

4. Data Projection: From the DataSecurityBehaviors table, it selects specific columns: BehaviorId, AccountUpn (user account), ActionTypeBehavior, Categories, StartTime, and EndTime.

5. Joining Data: It performs an inner join with the DataSecurityEvents table on the AccountUpn field, meaning it combines records from both tables where the user account matches.

6. Event Filtering: It further filters the joined data to include only those events that occurred within the time window defined by StartTime and EndTime from the DataSecurityBehaviors table.

7. Final Projection: It selects and organizes the final set of columns to display: ActionTypeBehavior, Categories, AccountUpn, Timestamp, ActionType, ObjectId, ApplicationNames, and Workload.

8. Ordering: The results are sorted by AccountUpn and Timestamp in ascending order, making it easier to see the sequence of events for each user.

In summary, this query helps security analysts drill down into specific user behaviors by linking suspicious activities with actual file events, providing a clearer picture of potential insider threats.