KQL Search

This KQL (Kusto Query Language) query is designed to analyze audit logs and extract specific information about successful "Delete device" operations that occurred within the last 90 days. Here's a simple breakdown of what the query does:

1. Data Source: It starts by looking at the AuditLogs table.

2. Time Filter: It filters the logs to include only those generated in the last 90 days.

3. Operation Filter: It further narrows down the logs to only include entries where the operation performed was "Delete device".

4. Result Filter: It ensures that only successful operations are considered by checking if the result was "success".

5. Extract Target ID: It creates a new column TargetId that extracts the ID of the target resource (device) from the first element of the TargetResources array.

6. Extract Target: It creates another column Target by extracting and modifying the userPrincipalName of the target resource, removing the first 32 characters.

7. Extract Display Name: It adds a column DisplayName that captures the userPrincipalName of the target resource.

8. Identify Initiator: It determines who initiated the operation. If the userPrincipalName is empty, it uses the displayName of the application that initiated the operation; otherwise, it uses the userPrincipalName of the user.

9. Extract IP Address: It adds a column IPAddress to capture the IP address of the user who initiated the operation.

Overall, this query is used to track and analyze successful device deletions, providing details about the target device, the initiator of the deletion, and their IP address.