Query Details
Office Activity Exchange Auditlogdisabled
Query
OfficeActivity
| where Operation has "AdminAuditLogConfig"
| mv-apply Parameter = todynamic(Parameters) on (
summarize ParsedParameters = make_bag(bag_pack(tostring(Parameter["Name"]), tostring(Parameter["Value"])))
)
| where bag_has_key(ParsedParameters, "AdminAuditLogEnabled") and not(ParsedParameters["AdminAuditLogEnabled"] == "True")
| project
TimeGenerated,
OfficeWorkload,
RecordType,
UserType,
UserId,
Operation,
ResultStatus,
OfficeObjectId,
Parameters
Explanation
This query is looking at activity in an office environment. It specifically searches for operations that involve "AdminAuditLogConfig". It then converts the parameters of these operations into a dynamic format and summarizes them.
The query then filters out any operations where the "AdminAuditLogEnabled" parameter is not set to "True".
Finally, it displays the time the operation was generated, the type of office workload, the type of record, the type of user, the user ID, the operation, the result status, the office object ID, and the parameters.
Details
Jose Sebastián Canós
Released: March 1, 2023
Tables
OfficeActivity
Keywords
OfficeActivity,Operation,AdminAuditLogConfig,Parameter,Parameters,ParsedParameters,AdminAuditLogEnabled,TimeGenerated,OfficeWorkload,RecordType,UserType,UserId,ResultStatus,OfficeObjectId
Operators
OfficeActivitywherehasmv-applytodynamiconsummarizemake_bagbag_packtostringwherebag_has_keynotprojectTimeGeneratedOfficeWorkloadRecordTypeUserTypeUserIdOperationResultStatusOfficeObjectIdParameters.