cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL

tijan2018
Microsoft

‎Feb 15 2022 02:58 PM

‎Feb 15 2022 02:58 PM

KQL

 Hi, I am trying to modify the below KQL query to use as a scheduled log analytics rule in Microsoft Sentinel to only trigger an incident when more than 10 emails have been sent on behalf of a user in a day. Any input or guidance will be highly appreciated.

OfficeActivity
| where Operation == "SendOnBehalf"
| summarize by TimeGenerated, UserId, ClientIP, SendOnBehalfOfUserSmtp, SendAsUserSmtp

Labels:
1,182 Views
0 Likes
2 Replies
Reply
2 Replies
Gary Bushey

‎Feb 15 2022 05:02 PM

‎Feb 15 2022 05:02 PM

Re: KQL

@tijan2018 You need to add a count command to your summarize on a unique value for each row that is a separate Email like ItemName.  Note that I do not have any data in my OfficeActivity with the needed operation so I cannot guarantee that is a good column.   Then you can filter where the count is greater than 10.  It should look something like what is shown below

OfficeActivity
| where Operation == "SendOnBehalf"
| summarize count(ItemName) by TimeGenerated, UserId, ClientIP, SendOnBehalfOfUserSmtp, SendAsUserSmtp
| where _count>10

 

1 Like
Reply
tijan2018

‎Feb 15 2022 05:49 PM

‎Feb 15 2022 05:49 PM

Re: KQL

Awesome Gary. Thanks for the feedback. Very much appreciated.
0 Likes
Reply