Query Details
LA Query New Users Querying Data
Query
//Find users querying your Log Analytics/Sentinel data for the first time
//Data connector required for this query - Log Analytics diagnostic settings enabled on your Sentinel workspace
let knownusers=
LAQueryLogs
| where TimeGenerated > ago(180d) and TimeGenerated < ago(1d)
| distinct AADEmail
| where isnotempty(AADEmail);
LAQueryLogs
| where TimeGenerated > ago(1d)
| where AADEmail !in (knownusers)
| where isnotempty(AADEmail)
| project TimeGenerated, AADEmail, QueryTextExplanation
This query is looking for users who are querying your Log Analytics/Sentinel data for the first time. It requires a data connector, specifically Log Analytics diagnostic settings enabled on your Sentinel workspace.
The query first identifies known users who have queried the data in the past 180 to 1 day. Then, it searches for users who have queried the data in the last day but are not in the list of known users. It also filters out any empty AADEmail values. The query then projects the TimeGenerated, AADEmail, and QueryText columns for the results.
Details
Matt Zorich
Released: June 17, 2022
Tables
LAQueryLogs
Keywords
Users,LogAnalytics,Sentinel,Data,Connector,Diagnostic,Settings,Enabled,Workspace,LAQueryLogs,TimeGenerated,ago,distinct,AADEmail,isnotempty,in,knownusers,project,QueryText
Operators
where>ago<distinctisnotemptyinproject