user_subject user_subject | inputlookup userSubjectInformation | addinfo | where ((NOT isnum(info_max_time)) OR time > info_min_time AND time < info_max_time)| table user_subject $earliest$ $latest$ -7d@h now
Recent Logins eventtype="client-*-usage" | eval cs_username=if (eventtype==client-popimap-usage,mvindex(Account_Domain,-1)."\\".mvindex(Account_Name,-1),cs_username) | `normalize_user` | search user_subject="$username$" | rex field=eventtype "client-(?<AccessMethod>[^-]+)-usage" | lookup useragent cs_user_agent | iplocation c_ip | eval Time=strftime(_time,"%a %b %e %l:%M%p %Y") | rename AccessMethod as "Access Method", IPAddress as "IP Address" | rename browser as "Browser", browserversion as "Browser Version" | rename os as "OS", osvariant as "OS Variant", osversion as "OS Version" | table "Time", "IP Address", "Location", "Access Method", "Browser", "Browser Version", "OS", "OS Variant", "OS Version"
Mailbox Information `msexchange-user-stats("$username$")` -24h now
Mailbox Size over Time `mailbox-info-for-user("$username$")` | eval TotalItemMB=TotalItemSize/1048576 | eval DeletedItemMB=TotalDeletedItemSize/1048576 | timechart fixedrange=t max(TotalItemMB) as "Total Size", max(DeletedItemMB) as "Deleted Items Size"