KQL Search

Query Details

Audit Logs User Activities

Query

# List all AuditLog activities of a user

### Sentinel
```KQL
let AccountUPN = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
AuditLogs
| where TimeGenerated > ago(SearchWindow)
| extend InitiatingUser = parse_json(InitiatedBy.user)
| extend InitatingUPN = parse_json(InitiatingUser).userPrincipalName
| where InitatingUPN == AccountUPN
| project-reorder TimeGenerated, InitatingUPN, OperationName, ResultDescription, ActivityDisplayName, Resource, Result
```

Explanation

This query lists all AuditLog activities of a specific user within a customizable time window.

Details

Bert-Jan Pals

Released: April 25, 2024

Tables

AuditLogs

Keywords

AuditLogs,User,TimeGenerated,InitiatingUser,InitatingUPN,OperationName,ResultDescription,ActivityDisplayName,Resource,Result

Operators

letwhereextendparse_jsonproject-reorder

KQL Search

Audit Logs User Activities

Query

Explanation

Details

Actions