Query Details
Cross Resource Query
Query
let AuditLogsDEV = workspace("9b5dc943-9550-4b95-ab2d-0f1c898956da").AuditLogs;
let start = ago(24h);
AuditLogsDEV
| where TimeGenerated > start
| where OperationName == "Add group"
| project flatten = tostring(TargetResources)
| where flatten contains "Unified"
Explanation
This query retrieves audit logs from a specific workspace called AuditLogsDEV. It filters the logs to only include those generated within the last 24 hours. It further filters the logs to only include entries where the operation name is "Add group". It then projects a flattened version of the TargetResources field and filters for entries that contain the word "Unified" in the flattened field.
Details
Rod Trent
Released: March 26, 2020
Tables
AuditLogsDEV
Keywords
Devices,Intune,User,AuditLogs
Operators
| whereletworkspaceagoAuditLogsstart|=="Add group"projectflattentostringTargetResourcescontains