Azure-Sentinel/Exploration Queries/InputEntity_IP/IP2Account_byAccountAzureActivityMost.yaml

Id: 97a1d515-abf2-4231-9a35-985f9de0bb91
DisplayName: The most active accounts on Azure from this IP
Description: The most active accounts on Azure from this IP during the range of -12h and +12h
InputEntityType: Ip
InputFields:
  - Address
OutputEntityTypes:
  - Account
QueryPeriodBefore: 12h
QueryPeriodAfter: 12h
DataSources:
    - AzureActivity
Tactics:
  - Exfiltration
  - CommandAndControl
  - Collection
query: |

  let AccountActivity_byIP = (v_IP_Address:string){
  AzureActivity
  | where Caller != '' and CallerIpAddress =~ v_IP_Address
  | summarize Account_Aux_StartTime = min(TimeGenerated), 
    Account_Aux_EndTime = max(TimeGenerated), 
    Count = count() by 
    Caller, TenantId
  | top 10 by Count desc nulls last 
  | extend UPN = iff(Caller contains '@', Caller, ''), Account_AadUserId = toguid(iff(Caller !contains '@', Caller,''))
  | extend Account_Name = split(UPN,'@')[0] , Account_UPNSuffix = split(UPN,'@')[1]
  | project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime 
  };
  AccountActivity_byIP('<Address>')