KQL Search

Query Details

Hard User Delete

Query

# Hunt for activities where Hard Delete user was performed
----
### Defender For Endpoint

```
CloudAppEvents
| where ActionType == "Hard Delete user."
| extend DeletedUser = parse_json(RawEventData).ObjectId
| project
     Timestamp,
     ActionType,
     Application,
     InitiatingUser = AccountDisplayName,
     DeletedUser

```
### Sentinel
```
CloudAppEvents
| where ActionType == "Hard Delete user."
| extend DeletedUser = parse_json(RawEventData).ObjectId
| project
     TimeGenerated,
     ActionType,
     Application,
     InitiatingUser = AccountDisplayName,
     DeletedUser

```

Explanation

The query is searching for activities where a "Hard Delete user" action was performed. It retrieves information such as the timestamp, action type, application, initiating user, and the user that was deleted. The query is executed in both Defender for Endpoint and Sentinel.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

CloudAppEvents

Keywords

Keywords:CloudAppEvents,ActionType,HardDeleteuser,parse_json,RawEventData,ObjectId,Timestamp,Application,InitiatingUser,AccountDisplayName,DeletedUser,TimeGenerated

Operators

whereextendparse_jsonproject

KQL Search

Hard User Delete

Query

Explanation

Details

Actions