Query Details
How Many Queries Each Person Ran
Query
//How many queries each person ran in the last 7 days
//Enabling the Diag Setting for the Audit log is required to expose the LAQueryLogs table
LAQueryLogs
| where TimeGenerated > ago(7d)
| summarize events_count=count() by AADEmail
| extend UserPrincipalName = AADEmail, Queries = events_count
| join kind= leftouter (
SigninLogs)
on UserPrincipalName
| project UserDisplayName, UserPrincipalName, Queries
| summarize arg_max(Queries, *) by UserPrincipalName
| sort by Queries descExplanation
This query counts the number of queries each person has run in the last 7 days. It uses the LAQueryLogs table, which requires enabling the Diag Setting for the Audit log. The results are grouped by the person's email address (AADEmail) and the count of queries is displayed. The query then joins the SigninLogs table using the UserPrincipalName. The final result includes the user's display name, email address, and the number of queries they have run. The results are sorted in descending order based on the number of queries.
Details
Rod Trent
Released: September 30, 2020
Tables
LAQueryLogsSigninLogs
Keywords
Queries,LAQueryLogs,TimeGenerated,ago,count,AADEmail,UserPrincipalName,events_count,SigninLogs,UserDisplayName,sort
Operators
whereagosummarizecountbyextendjoinkindleftouteronprojectarg_max*sort bydesc