KQL Search

//List the bulk activities attempted by your privileged Azure AD users and parse the results

//Data connector required for this query - Azure Active Directory - Audit Logs

AuditLogs
| where OperationName has_all ("(bulk)", "finished")
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, Actor, ResultDescription, OperationName
| parse ResultDescription with * "Total activities count:" ['Total Activity Count'] ";" *
| parse ResultDescription with * "succeeded activities count" ['Total Succeeded'] ";" *
| parse ResultDescription with * "failed activities count" ['Total Failed']
| project
    TimeGenerated,
    Actor,
    OperationName,
    ['Total Activity Count'],
    ['Total Succeeded'],
    ['Total Failed']