cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

KQL - Correlating data within the same table column and applying a threshold

BcyberS
Brass Contributor

‎Jul 13 2022 06:12 AM

‎Jul 13 2022 06:12 AM

KQL - Correlating data within the same table column and applying a threshold

Hi,

 

I was wondering if anyone could help. Trying to correlate some data within the same table and apply conditions to it.

 

So looking at the scenario of users sending an email and then deleting that email within 5 minutes from their Sent Items. 

 

This query is looking at the OfficeActivity (Exchange) table of the Office 365 Data connector.

 

Within this there is the Operation column which has two values which detect the scenario described: "Send" where the User sends the email from their inbox "Soft Delete" where the user deletes the email from a specified 'Path' - I have parsed out the "\Sent Items" path for this to focus on this path only.

 

Because both outputs "Send" and "Soft Delete" come under the Operation column I need to 1) separate these and 2) try and query the data so it looks for when an email has been sent and then 'soft deleted' from the \Sent Items path within a timeframe (5 mins for example).

 

Can anyone point me in the right direction?

 

Appreciate any help in advance. Thanks

Labels:
2,025 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by BcyberS (Brass Contributor)
Clive_Watson

‎Jul 13 2022 08:36 AM

‎Jul 13 2022 08:36 AM

Solution

Re: KQL - Correlating data within the same table column and applying a threshold

@BcyberS 

This is a method (basic framework) to do this, which you can adapt.

OfficeActivity 
| where TimeGenerated > ago(1h)
| where Operation == 'Send'
| summarize arg_max(TimeGenerated,*) by UserId, 1stTime = TimeGenerated
| join kind= inner 
(
    OfficeActivity
    | where TimeGenerated > ago(1h)
    | where Operation == 'SoftDelete'
    | summarize arg_max(TimeGenerated,*) by UserId, 2ndTime = TimeGenerated
) on UserId
// within 5mins and only SoftDelete after Send
| where datetime_diff('minute',2ndTime,1stTime) < 5 and 2ndTime > 1stTime
| project UserId, 1stTime, 2ndTime,  timeDiffInMins=datetime_diff('minute',2ndTime,1stTime), Operation, Operation1

You can see by UserId who did a SEND then a SOFTDELETE within 5mins.  You'll have to add the "path" part or a method to make sure the "SoftDelete" relates to the same item as the "Send" 

Clive_Watson_0-1657726379785.png

 

0 Likes
Reply
BcyberS

‎Jul 13 2022 08:59 AM

‎Jul 13 2022 08:59 AM

Re: KQL - Correlating data within the same table column and applying a threshold

Thank you Clive_Watson, this is really helpful. I can now parse the path and additional elements to add further context.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by BcyberS (Brass Contributor)
Clive_Watson

‎Jul 13 2022 08:36 AM

‎Jul 13 2022 08:36 AM

Solution

Re: KQL - Correlating data within the same table column and applying a threshold

@BcyberS 

This is a method (basic framework) to do this, which you can adapt.

OfficeActivity 
| where TimeGenerated > ago(1h)
| where Operation == 'Send'
| summarize arg_max(TimeGenerated,*) by UserId, 1stTime = TimeGenerated
| join kind= inner 
(
    OfficeActivity
    | where TimeGenerated > ago(1h)
    | where Operation == 'SoftDelete'
    | summarize arg_max(TimeGenerated,*) by UserId, 2ndTime = TimeGenerated
) on UserId
// within 5mins and only SoftDelete after Send
| where datetime_diff('minute',2ndTime,1stTime) < 5 and 2ndTime > 1stTime
| project UserId, 1stTime, 2ndTime,  timeDiffInMins=datetime_diff('minute',2ndTime,1stTime), Operation, Operation1

You can see by UserId who did a SEND then a SOFTDELETE within 5mins.  You'll have to add the "path" part or a method to make sure the "SoftDelete" relates to the same item as the "Send" 

Clive_Watson_0-1657726379785.png

 

View solution in original post

0 Likes
Reply