Forum Discussion

AndrewX's avatar
AndrewX
Iron Contributor
Feb 06, 2019

Office365/AzureAd last logon

I ingest the Office365 unified audit log and AAD Signin Logs into Azure log analytics, and now use log analytics for almost all of my search requirements across Office365, Security, Audit etc..     ...
azure monitor
Query Language
Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Feb 08, 2019

Hi,

I am not sure if I can understand the request exactly but I will try to answer. I would like to first make a note that TimeGenerated is the time the log was generated. Keep in mind that there might be a different date/time column that shows the date of the login activity. With the above query you have pasted and specifically

| where TimeGenerated < ago(90d)

you are actually taking all records that have happened before 90 days. So I think this is what you are actually requested.

You can do also additional things like

| where TimeGenerated < ago(90d) and TimeGenerated > ago(120d)

To do exact time frame.

Also to note that by default Log Analytics stores data for 31 days. If you want to go beyond you will need to extend the retention period of your Log Analytics workspace.

Let me know if this helps.

Sean Stark's avatar
Sean Stark
Copper Contributor
Mar 15, 2019

Stanislav_Zhelyazkov 

 

I believe they are asking about correlating the office365 audit logs to azure ad auditg logs, more specifically sign in attributes. The problem is the office 365 logs do not expose any true sign in event to correlate the two data sources from what I can tell.

Resources