도움이 되었나요?
panther_logs.public.panther_audit
| where actor.name == "[email protected]"panther_logs.public.panther_audit
| where actor['name'] == "[email protected]"panther_logs.public.panther_audit
| where actionParams.dynamic.input.tableProperties[0].propertyId != nullpanther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| summarize row_count=agg.count()panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionNamepanther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
| where num_events < 5
| sort num_events asclet new_logins = panther_logs.public.panther_audit
| where p_event_time > time.ago(7d) and p_udm.user.email != null
| summarize recent_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email;
panther_logs.public.panther_audit
| where p_event_time > time.ago(60d) and p_event_time < time.ago(7d) and p_udm.user.email != null
| summarize baseline_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email
| join kind=inner new=(new_logins) on $left.email == $right.email
| where new.recent_ips[0] not in baseline_ips