Castaldio86/KQL-O365-ClientSide-Forwards

## KQL-O365-ClientSide-Forwards
let Lookback_Long = ago(14d);
let Lookback_Short = ago(1h);
let AllSignins =
SigninLogs
| where TimeGenerated > Lookback_Long
| where ResultType == "0"
;
let Signins =
AllSignins
| summarize FirstSeen = min(TimeGenerated), LastObserved = max(TimeGenerated), Count = count() by IPAddress, UserPrincipalName, Location
;
let IPUsage =
AllSignins
| summarize UniqueUsers = dcount(UserPrincipalName) by IPAddress
;
let UserLocations =
AllSignins
| summarize Locations = tostring(make_set(Location)) by UserPrincipalName
;
let OutlookRuleCreation =
OfficeActivity
| where TimeGenerated > Lookback_Short
| where Operation == "UpdateInboxRules"
| extend ClientIP = iif(isnotempty(ClientIP), ClientIP, ClientIP_)
| parse kind=regex ClientIP with "[[]" IPAddress1 "]:" Port1
| parse kind=regex ClientIP with IPAddress2 ":" Port2
| extend IPAddress = iif(isnotempty(IPAddress1), IPAddress1, IPAddress2)
| extend Port = iif(isnotempty(Port1), Port1, Port2)
| distinct TimeGenerated, IPAddress, UserId
;
OutlookRuleCreation
| join kind=inner Signins on $left.UserId == $right.UserPrincipalName, IPAddress
| where (TimeGenerated - FirstSeen) between (0min..7day)
| join kind=inner IPUsage on IPAddress
| join kind=inner UserLocations on $left.UserId == $right.UserPrincipalName
| summarize by bin(TimeGenerated, 1d), UserId, IPAddress, FirstSeen, LastObserved, Location, Locations, Count, UniqueUsers
	let Lookback_Long = ago(14d);
	let Lookback_Short = ago(1h);
	let AllSignins =
	SigninLogs
	\| where TimeGenerated > Lookback_Long
	\| where ResultType == "0"
	;
	let Signins =
	AllSignins
	\| summarize FirstSeen = min(TimeGenerated), LastObserved = max(TimeGenerated), Count = count() by IPAddress, UserPrincipalName, Location
	;
	let IPUsage =
	AllSignins
	\| summarize UniqueUsers = dcount(UserPrincipalName) by IPAddress
	;
	let UserLocations =
	AllSignins
	\| summarize Locations = tostring(make_set(Location)) by UserPrincipalName
	;
	let OutlookRuleCreation =
	OfficeActivity
	\| where TimeGenerated > Lookback_Short
	\| where Operation == "UpdateInboxRules"
	\| extend ClientIP = iif(isnotempty(ClientIP), ClientIP, ClientIP_)
	\| parse kind=regex ClientIP with "[[]" IPAddress1 "]:" Port1
	\| parse kind=regex ClientIP with IPAddress2 ":" Port2
	\| extend IPAddress = iif(isnotempty(IPAddress1), IPAddress1, IPAddress2)
	\| extend Port = iif(isnotempty(Port1), Port1, Port2)
	\| distinct TimeGenerated, IPAddress, UserId
	;
	OutlookRuleCreation
	\| join kind=inner Signins on $left.UserId == $right.UserPrincipalName, IPAddress
	\| where (TimeGenerated - FirstSeen) between (0min..7day)
	\| join kind=inner IPUsage on IPAddress
	\| join kind=inner UserLocations on $left.UserId == $right.UserPrincipalName
	\| summarize by bin(TimeGenerated, 1d), UserId, IPAddress, FirstSeen, LastObserved, Location, Locations, Count, UniqueUsers