EXPLORE
Sign In
← Back to Explore
kqlHunting

office Add-in Installs

This Query looks for office Add-in Installs

Detection Query

//This Query looks for office Add-in Installs
CloudAppEvents
| where ActionType == @"AppInstalled" //or ActionType == @"Add application."
| summarize count() by tostring(parse_json(RawEventData)["AddOnName"]), Application

Data Sources

CloudAppEvents

Tags

office-365
Raw Content
//This Query looks for office Add-in Installs
CloudAppEvents
| where ActionType == @"AppInstalled" //or ActionType == @"Add application."
| summarize count() by tostring(parse_json(RawEventData)["AddOnName"]), Application