KQL Search

Query Details

HomeAI ToolsDevice Query

Entra Account Disabled

Query

AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Disable account"
| where Result == "success"
| extend Target = tostring(TargetResources[0].userPrincipalName)
| extend TargetId = TargetResources[0].id
| extend DisplayName = tostring(TargetResources[0].userPrincipalName)
| extend Initator =iff(isempty(parse_json(tostring(InitiatedBy.user)).userPrincipalName),parse_json(tostring(InitiatedBy.app)).displayName,(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
| project TimeGenerated, Initator, Target,TargetId,DisplayName,IPAddress= parse_json(tostring(InitiatedBy.user)).ipAddress

Explanation

This KQL (Kusto Query Language) query is designed to analyze audit logs and identify successful account disablement actions within the last 90 days. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at the AuditLogs table.

  2. Time Filter: It filters the logs to include only those generated in the last 90 days.

  3. Operation Filter: It further narrows down the logs to only include entries where the operation performed was "Disable account."

  4. Result Filter: It ensures that only successful operations are considered by checking if the result was "success."

  5. Data Extraction:

    • It extracts the userPrincipalName of the target account (the account that was disabled) and assigns it to a new column called Target.
    • It extracts the id of the target account and assigns it to a new column called TargetId.
    • It duplicates the userPrincipalName of the target account into a new column called DisplayName.
    • It determines who initiated the account disablement. If the action was initiated by a user, it extracts the userPrincipalName; if initiated by an application, it extracts the application's displayName. This information is stored in a new column called Initator.

  6. Projection: Finally, it selects and displays the following columns in the output:

    • TimeGenerated: The time when the log entry was created.
    • Initator: The user or application that initiated the account disablement.
    • Target: The userPrincipalName of the account that was disabled.
    • TargetId: The ID of the account that was disabled.
    • DisplayName: The userPrincipalName of the account that was disabled (same as Target).
    • IPAddress: The IP address of the user who initiated the action.

In summary, this query provides a list of successful account disablement actions over the past 90 days, including details about the target account and the initiator of the action.

Details

Jay Kerai profile picture

Jay Kerai

Released: December 2, 2025

Tables

AuditLogs

Keywords

AuditLogsTimeGeneratedOperationNameResultTargetResourcesUserPrincipalNameInitiatedByDisplayNameIPAddress

Operators

AuditLogs|where>ago( )==extend=tostring[ ].iffisemptyparse_jsonproject,

Actions