KQL Search

Query Details

HomeAI ToolsDevice Query

Audit New Operations

Query

//Find any new operations generated in the Azure AD audit table in the last week compared to the last 90 days

//Data connector required for this query - Azure Active Directory - Audit Logs

let existingoperations=
    AuditLogs
    | where TimeGenerated > ago(90d) and TimeGenerated < ago(7d)
    | distinct OperationName;
AuditLogs
| where TimeGenerated > ago(7d)
| summarize Count=count() by OperationName, Category
| where OperationName !in (existingoperations)
| sort by Count desc

Explanation

This query is looking for any new operations that have been generated in the Azure AD audit table in the last week, compared to the previous 90 days. It uses the Azure Active Directory - Audit Logs data connector.

First, it retrieves a list of existing operations that occurred in the previous 90 days. Then, it filters the audit logs for operations that occurred in the last week. It summarizes the count of each operation by its name and category. It then filters out any operations that are already in the existing operations list. Finally, it sorts the results by the count of each operation in descending order.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AuditLogs

Keywords

AzureAD,AuditLogs,TimeGenerated,OperationName,Category,existingoperations,Count

Operators

whereagodistinctsummarizecountbyinsortdesc

Actions