Office Activity Exchange Auditlogdisabled
Query
OfficeActivity
| where Operation has "AdminAuditLogConfig"
| mv-apply Parameter = todynamic(Parameters) on (
summarize ParsedParameters = make_bag(bag_pack(tostring(Parameter["Name"]), tostring(Parameter["Value"])))
)
| where bag_has_key(ParsedParameters, "AdminAuditLogEnabled") and not(ParsedParameters["AdminAuditLogEnabled"] == "True")
| project
TimeGenerated,
OfficeWorkload,
RecordType,
UserType,
UserId,
ClientIP,
Operation,
ResultStatus,
OfficeObjectId,
ParametersExplanation
This KQL query is designed to analyze and filter records from the OfficeActivity table related to administrative audit log configurations. Here's a simple breakdown of what the query does:
-
Filter for Specific Operations: It starts by filtering the records to only include those where the
Operationfield contains the term "AdminAuditLogConfig". This means it is focusing on activities related to the configuration of administrative audit logs. -
Extract and Parse Parameters: The query then uses
mv-applyto iterate over theParametersfield, which is expected to be a dynamic array. It converts this array into a dynamic object and creates a summarized bag of key-value pairs usingmake_bagandbag_pack. Each parameter's name and value are extracted and stored inParsedParameters. -
Filter for Specific Condition: It further filters the records to find those where the
ParsedParameterscontain a key named "AdminAuditLogEnabled" and its value is not "True". This means it is looking for configurations where the administrative audit log is not enabled. -
Select Specific Fields: Finally, the query projects (selects) a set of fields to be included in the output:
TimeGenerated,OfficeWorkload,RecordType,UserType,UserId,ClientIP,Operation,ResultStatus,OfficeObjectId, andParameters.
In summary, this query identifies and lists activities related to administrative audit log configurations where the audit log is not enabled, providing details about each activity such as the time it occurred, the user involved, and other relevant information.
Details

Jose Sebastián Canós
Released: August 18, 2025
Tables
Keywords
Operators