KQL Search

Query Details

HomeAI ToolsDevice Query

User Deleted From Entra

Query

AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Delete user"
| where Result == "success"
| extend TargetId = tostring(TargetResources[0].id)
| extend Target = substring(tostring(TargetResources[0].userPrincipalName),32)//replace_string(tostring(TargetResources[0].userPrincipalName),TargetId,'')
| extend DisplayName = tostring(TargetResources[0].userPrincipalName)
| extend Initiator =iff(isempty(parse_json(tostring(InitiatedBy.user)).userPrincipalName),parse_json(tostring(InitiatedBy.app)).displayName,(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
| extend IPAddress= parse_json(tostring(InitiatedBy.user)).ipAddress

Explanation

This KQL (Kusto Query Language) query is designed to analyze audit logs and extract specific information about successful user deletion operations within the last 90 days. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at the AuditLogs table.

  2. Time Filter: It filters the logs to include only those generated in the last 90 days.

  3. Operation Filter: It further filters the logs to include only entries where the operation performed was "Delete user."

  4. Result Filter: It ensures that only successful deletion operations are considered by checking if the result is "success."

  5. Extract Target Information:

    • It extracts the TargetId from the first resource in the TargetResources array.
    • It extracts and processes the Target by taking a substring of the userPrincipalName from the first resource, starting from the 32nd character.
    • It also extracts the DisplayName from the userPrincipalName of the first resource.

  6. Extract Initiator Information:

    • It determines the Initiator of the deletion operation. If the userPrincipalName is empty, it uses the displayName from the app information; otherwise, it uses the userPrincipalName.
    • It extracts the IPAddress of the initiator from the user information.

Overall, this query is used to identify and summarize details about successful user deletions, including who was deleted, who initiated the deletion, and from which IP address the operation was performed.

Details

Jay Kerai profile picture

Jay Kerai

Released: December 2, 2025

Tables

AuditLogs

Keywords

AuditLogsTimeGeneratedOperationNameResultTargetIdTargetDisplayNameInitiatorIPAddress

Operators

AuditLogswhere>ago==extendtostringsubstringreplace_stringiffisemptyparse_json.

Actions