This query will determine rare activity by a high-value account carried out on a system or service. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. If any account with such rare activity is found, the query will attempt to retrieve related activity from that account on that same day and summarize the information.
Source: Github - Microsoft
MITRE ATT&CK Tactics
Windows Security Event Logs
Service account activity
Investigate account activity across entire network using Sentinel.