Forum Discussion

tijan2018's avatar
tijan2018
Former Employee
Mar 09, 2022
Solved

Audit Logs

I am trying to write a query that will output results of audit logs for external users added to AAD outside of work hours. Below is the query I currently have but it isn't giving me the results I wan...
KQL
  • Jonhed's avatar
    Jonhed
    Mar 09, 2022

    tijan2018 

    When you specify just time in a datetime value it implicitly means "Today at hh:mm:ss", so your query searches for any log that is not between "Today 06:00 and Today 23:00".

     

    Maybe you want something like this?

    AuditLogs
| where OperationName == "Invite external user"
| where hourofday(TimeGenerated) !between (6 .. 22)
Jonhed's avatar
Jonhed
Iron Contributor
Mar 09, 2022

tijan2018 

When you specify just time in a datetime value it implicitly means "Today at hh:mm:ss", so your query searches for any log that is not between "Today 06:00 and Today 23:00".

 

Maybe you want something like this?

AuditLogs
| where OperationName == "Invite external user"
| where hourofday(TimeGenerated) !between (6 .. 22)
tijan2018's avatar
tijan2018
Former Employee
Mar 09, 2022
This is excellent. Makes sense now. It is now giving me the desired output of the audit activities outside of the time range indicated in the query. Thank you!

Resources