Queries for the OfficeActivity table
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
All Office Activity
All the events provided by Office Activity.
OfficeActivity
| project TimeGenerated, UserId, Operation, OfficeWorkload, RecordType, _ResourceId
| sort by TimeGenerated desc nulls last
Users accessing files
Users sorted by number of OneDrive and SharePoint files they accessed.
OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last
File upload operation
Lists users sorted by number of files they uploaded to OneDrive and SharePoint.
OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileUploaded")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last
Office activity for user
The query presents user's activity over Office.
// Replace the UPN in the query with the UPN of the user of interest
let v_Users_UPN= "osotnoc@contoso.com";
OfficeActivity
| where UserId==v_Users_UPN
| project TimeGenerated, OfficeWorkload, Operation, ResultStatus, OfficeObjectId, _ResourceId
Creation of Forward rule
Lists creation of email forward rules.
OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
| extend RuleName = case(Operation =~ "Set-TransportRule", tostring(OfficeObjectId), Operation =~ "New-TransportRule", tostring(parse_json(Parameters)[1].Value), "Unknown")
| project TimeGenerated, ClientIP, UserId, Operation, RuleName, _ResourceId
Suspicious file name
Operations on files with name that might indicate obfuscation of an executable.
OfficeActivity
| where RecordType =~ "SharePointFileOperation" and isnotempty(SourceFileName)
| where OfficeObjectId has ".exe." and OfficeObjectId matches regex @"\.exe\.\w{0,4}$"