joerodgers · February 4, 2026 16:09
diff --git a/DefenderAdvancedHunting_KQL.kql b/DefenderAdvancedHunting_KQL.kql
 // ALL AGENT INTERACTIONS PER HOUR
 CloudAppEvents 
 | extend AgentName = tostring((RawEventData).AgentName)
 | extend UserName  = tostring((RawEventData).UserId)
 | where ActionType == 'CopilotInteraction' 
 | where isnotempty(parse_json(RawEventData).AgentName)
 | summarize InteractionsPerHour = count() by UserName, DateHour = format_datetime(bin(datetime_utc_to_local(Timestamp,"America/New_York"), 1h), 'yyyy-MM-dd hh:mm:ss'), AgentName 
 | project ['Date/Hour (Eastern)'] = DateHour, UserName, AgentName, InteractionsPerHour
 | order by ['Date/Hour (Eastern)'], InteractionsPerHour  desc 

 // ALL AGENT INTERACTIONS PER DAY
 CloudAppEvents 
 | extend AgentName = tostring((RawEventData).AgentName)
 | extend UserName  = tostring((RawEventData).UserId)
 | where ActionType == 'CopilotInteraction' 
 | where isnotempty(parse_json(RawEventData).AgentName)
 | summarize InteractionsPerHour = count() by UserName, Date = format_datetime(bin(Timestamp, 1d), 'yyyy-MM-dd'), AgentName 
 | project Date, UserName, AgentName, InteractionsPerHour
 | order by Date, InteractionsPerHour desc 

 // SPECIFIC AGENT INTERACTIONS PER DAY
 let AgentId = "T_a3dcf89f-3859-9dc4-e3cb-0b6117a5f7d7.58036dbd-c771-4bfe-b6a3-36c697afb227";
 CloudAppEvents 
 | extend AgentName = tostring((RawEventData).AgentName)
 | extend UserName  = tostring((RawEventData).UserId)
 | where ActionType == 'CopilotInteraction' 
 | where isnotempty(parse_json(RawEventData).AgentName)
 | where parse_json(RawEventData).AgentId == AgentId
 | summarize InteractionsPerHour = count() by UserName, Date = format_datetime(bin(Timestamp, 1d), 'yyyy-MM-dd'), AgentName 
 | project Date, UserName, AgentName, InteractionsPerHour
 | order by Date, InteractionsPerHour desc
	// ALL AGENT INTERACTIONS PER HOUR
	CloudAppEvents
	\| extend AgentName = tostring((RawEventData).AgentName)
	\| extend UserName = tostring((RawEventData).UserId)
	\| where ActionType == 'CopilotInteraction'
	\| where isnotempty(parse_json(RawEventData).AgentName)
	\| summarize InteractionsPerHour = count() by UserName, DateHour = format_datetime(bin(datetime_utc_to_local(Timestamp,"America/New_York"), 1h), 'yyyy-MM-dd hh:mm:ss'), AgentName
	\| project ['Date/Hour (Eastern)'] = DateHour, UserName, AgentName, InteractionsPerHour
	\| order by ['Date/Hour (Eastern)'], InteractionsPerHour desc

	// ALL AGENT INTERACTIONS PER DAY
	CloudAppEvents
	\| extend AgentName = tostring((RawEventData).AgentName)
	\| extend UserName = tostring((RawEventData).UserId)
	\| where ActionType == 'CopilotInteraction'
	\| where isnotempty(parse_json(RawEventData).AgentName)
	\| summarize InteractionsPerHour = count() by UserName, Date = format_datetime(bin(Timestamp, 1d), 'yyyy-MM-dd'), AgentName
	\| project Date, UserName, AgentName, InteractionsPerHour
	\| order by Date, InteractionsPerHour desc

	// SPECIFIC AGENT INTERACTIONS PER DAY
	let AgentId = "T_a3dcf89f-3859-9dc4-e3cb-0b6117a5f7d7.58036dbd-c771-4bfe-b6a3-36c697afb227";
	CloudAppEvents
	\| extend AgentName = tostring((RawEventData).AgentName)
	\| extend UserName = tostring((RawEventData).UserId)
	\| where ActionType == 'CopilotInteraction'
	\| where isnotempty(parse_json(RawEventData).AgentName)
	\| where parse_json(RawEventData).AgentId == AgentId
	\| summarize InteractionsPerHour = count() by UserName, Date = format_datetime(bin(Timestamp, 1d), 'yyyy-MM-dd'), AgentName
	\| project Date, UserName, AgentName, InteractionsPerHour
	\| order by Date, InteractionsPerHour desc
No results found