Audit List Bulk Activities
Query
//List the bulk activities attempted by your privileged Azure AD users and parse the results
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where OperationName has_all ("(bulk)", "finished")
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, Actor, ResultDescription, OperationName
| parse ResultDescription with * "Total activities count:" ['Total Activity Count'] ";" *
| parse ResultDescription with * "succeeded activities count" ['Total Succeeded'] ";" *
| parse ResultDescription with * "failed activities count" ['Total Failed']
| project
TimeGenerated,
Actor,
OperationName,
['Total Activity Count'],
['Total Succeeded'],
['Total Failed']Explanation
This query lists the bulk activities attempted by privileged Azure AD users and parses the results. It uses the Azure Active Directory - Audit Logs data connector. The query retrieves the time generated, actor, result description, operation name, total activity count, total succeeded count, and total failed count for each activity.
Details

Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogsOperationNameResultDescriptionInitiatedBy.userTimeGeneratedActor['Total Activity Count']['Total Succeeded']['Total Failed']
Operators
has_allextendtostringparse_jsonprojectparsewith['Total Activity Count']['Total Succeeded']['Total Failed']