Forum Discussion

tijan2018's avatar
tijan2018
Icon for Microsoft rankMicrosoft
Feb 15, 2022

KQL

 Hi, I am trying to modify the below KQL query to use as a scheduled log analytics rule in Microsoft Sentinel to only trigger an incident when more than 10 emails have been sent on behalf of a user in a day. Any input or guidance will be highly appreciated.

OfficeActivity
| where Operation == "SendOnBehalf"
| summarize by TimeGenerated, UserId, ClientIP, SendOnBehalfOfUserSmtp, SendAsUserSmtp

Kusto Query Language
  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Feb 16, 2022

    tijan2018 You need to add a count command to your summarize on a unique value for each row that is a separate Email like ItemName.  Note that I do not have any data in my OfficeActivity with the needed operation so I cannot guarantee that is a good column.   Then you can filter where the count is greater than 10.  It should look something like what is shown below

    OfficeActivity
| where Operation == "SendOnBehalf"
| summarize count(ItemName) by TimeGenerated, UserId, ClientIP, SendOnBehalfOfUserSmtp, SendAsUserSmtp
| where _count>10

     

    • tijan2018's avatar
      tijan2018
      Icon for Microsoft rankMicrosoft
      Feb 16, 2022
      Awesome Gary. Thanks for the feedback. Very much appreciated.

Resources