KQL
Hi, I am trying to modify the below KQL query to use as a scheduled log analytics rule in Microsoft Sentinel to only trigger an incident when more than 10 emails have been sent on behalf of a user in a day. Any input or guidance will be highly appreciated. OfficeActivity | where Operation == "SendOnBehalf" | summarize by TimeGenerated, UserId, ClientIP, SendOnBehalfOfUserSmtp, SendAsUserSmtp