Mirrors/marcredhat-kql
1
0
Fork 0
mirror of https://github.com/marcredhat/kql synced 2026-06-09 21:47:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit: KQL ↔ SDL PowerQuery proof of equivalence

Browse Source
This commit is contained in:
marc
2026-06-01 09:57:14 +02:00
commit 23cbaa9c08
91 changed files with 5966 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
kql/10_sharepoint_anomaly.kql
+14
View File
@@ -0,0 +1,14 @@
let threshold = 25;
let baseline = OfficeActivity
| where TimeGenerated between(ago(14d) .. ago(1d))
| where RecordType == "SharePointFileOperation"
| where Operation in ("FileDownloaded", "FileUploaded")
| summarize Count = count() by UserId, Operation, Site_Url, ClientIP
| summarize AvgCount = avg(Count) by UserId, Operation, Site_Url, ClientIP;
let recent = OfficeActivity
| where TimeGenerated > ago(1d)
| where RecordType == "SharePointFileOperation"
| summarize RecentCount = count() by UserId, Operation, Site_Url, ClientIP;
baseline | join kind=inner (recent) on UserId, Operation, Site_Url, ClientIP
| extend Deviation = abs(RecentCount - AvgCount) / AvgCount
| where Deviation > threshold