Hi all,since I am new to writing queries I would really appreciate your help.I need to write a query that will show a specific users first activity and last activity in a day. I need to also project which activity it was and to sum it all up, I need the results to be in a row for each day. I would really appreciate any suggestions or help. Thank you

mm83RI With added Last Activity // firstSeen SigninLogs | summarize arg_min(TimeGenerated,*) by UserPrincipalName // join to last seen data |join ( SigninLogs | summarize arg_max(TimeGenerated,*) by UserPrincipalName ) on UserPrincipalName | project UserPrincipalName, TimeGenerated, TimeGenerated1, OperationName | join ( OfficeActivity | summarize FirstActivity=arg_min(TimeGenerated, firstWorkload=OfficeWorkload, firstStatus=ResultStatus), LastActivity= arg_max(TimeGenerated, LastWorkload=OfficeWorkload, lastStatus=ResultStatus) by UserId ) on $left.UserPrincipalName == $right.UserId | project UserPrincipalName, FirstSeen=TimeGenerated, LastSeen=TimeGenerated1, OperationName, FirstActivity, LastActivity, firstWorkload, LastWorkload, firstStatus, lastStatus You should investigate the use of bin() bin() - Azure Data Explorer | Microsoft Learn to help with the extra ask about seeing multiple days.

You can add a new column with the Local time, use this:https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-functione.g. (add the timezone of choice, I used 'CET' as an example)| extend localtime_ = datetime_utc_to_local(TimeGenerated,'CET')

TimeGenerated, as you used bin() is no longer a precise time, its midnight for each day. So just dont project it, First and Last are the columns you need..on TimeGenerated| project FirstActivity, LastActivity, Application, OfficeWorkload| sort by FirstActivity asc

KQL query in sentinel for users first activity

12 Replies

Clive_Watson

Bronze Contributor

May 22, 2023

mm83RI This should get you started

// Find the firstSeen for a User
SigninLogs
| summarize arg_min(TimeGenerated,*) by UserPrincipalName
// join to last seen data for that user
|join 
(
  SigninLogs
  | summarize arg_max(TimeGenerated,*) by UserPrincipalName
  // any column that ends in a "1" is a last seen
) on UserPrincipalName
// Note, the "*" in arg_min and arg_max will return all columns, 
// to reduce the noise you can name them or just project the needed ones.  e.g.? 
| project UserPrincipalName, TimeGenerated, TimeGenerated1, OperationName

mm83RI

Copper Contributor

May 23, 2023

This is great. But I would like to project which Activity was his first (for example Teams, Sharepoint site, etc) and the time.
Can I connect join somehow Office Activity with SigninLogs?

Clive_Watson

Bronze Contributor

May 23, 2023

mm83RI

This will do that, if the UserPrincipalName in SigninLogs matches the UserID in OfficeActivity (you wont see people that do not have activity)

// firstSeen
SigninLogs
| summarize arg_min(TimeGenerated,*) by UserPrincipalName
// join to last seen data
|join 
(
  SigninLogs
  | summarize arg_max(TimeGenerated,*) by UserPrincipalName
  // any column that ends in a "1" is a last seen
) on UserPrincipalName
// the "*" in arg_min and arg_max will return all columns, 
// to reduce the noise you can name them or just project the needed ones? 
| project UserPrincipalName, TimeGenerated, TimeGenerated1, OperationName
| join 
(
OfficeActivity
// add any extra colums you need to the list
| summarize arg_min(TimeGenerated, OfficeWorkload, ResultStatus) by UserId
 ) on $left.UserPrincipalName == $right.UserId
| project UserPrincipalName, FirstSeen=TimeGenerated, LastSeen=TimeGenerated1, OperationName, FirstActivity=TimeGenerated2, OfficeWorkload, ResultStatus

Forum Discussion

KQL query in sentinel for users first activity

12 Replies

Resources