Query Details
Azure Azure Activity Compromised Account
Query
# AzureActivity Compromised Account ## Query Information #### Description This query list all the actions (ACTION, DELETE, WRITE, etc) by a compromised account. ## Defender XDR ``` let CompromisedAccountUPN = "test@test.com"; let SearchWindow = 48h; //Customizable h = hours, d = days AzureActivity | where Caller =~ CompromisedAccountUPN | where TimeGenerated > ago(SearchWindow) | summarize TotalEvents = count() by OperationNameValue | sort by TotalEvents desc ``` ## Sentinel ``` let CompromisedAccountUPN = "test@test.com"; let SearchWindow = 48h; //Customizable h = hours, d = days AzureActivity | where Caller =~ CompromisedAccountUPN | where TimeGenerated > ago(SearchWindow) | summarize TotalEvents = count() by OperationNameValue | sort by TotalEvents desc ```
Explanation
This query is designed to track and summarize the actions performed by a potentially compromised account within a specified time frame. Here's a simple breakdown:
-
Compromised Account: The query is focused on a specific user account, identified by the email "test@test.com", which is suspected to be compromised.
-
Time Frame: It looks at activities that occurred within the last 48 hours. This time frame can be adjusted as needed (e.g., changing hours to days).
-
Data Source: The query examines the
AzureActivitylogs, which record various actions taken within Azure services. -
Filter and Summarize: It filters the logs to only include actions performed by the compromised account and counts the total number of each type of action (like ACTION, DELETE, WRITE, etc.).
-
Sort: The results are sorted in descending order based on the number of times each action was performed, highlighting the most frequent actions.
Overall, this query helps identify what activities the compromised account has been involved in recently, which can be crucial for security investigations and responses.
Details
Bert-Jan Pals
Released: March 23, 2026
Tables
Keywords
Operators