Forum Discussion

JonPerry's avatar
JonPerry
Copper Contributor
Jul 14, 2022

Kusto Query for terminated or disabled employees from AD

Does anyone have a query from AD on how to the terminated or disabled employees?

 

Thank you,

Jon

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor

    JonPerry 

     

    To see if a User was deleted try this to get you going:

     

    AuditLogs
    | where TimeGenerated > ago(30d)
    | where OperationName =="Delete user"
    //| where TargetResources contains "< a person's name >"
    | summarize arg_max(TimeGenerated,ActivityDisplayName, Result)

     

    Note: only the last record is shown, and two columns - remove or amend the last line if you need to see more/less 

    • JonPerry's avatar
      JonPerry
      Copper Contributor
      Hi Clive_Watson
      That is helpful but is there way to search a log for the "Enabled" parameter in AD.
      Thank you
      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor

        JonPerry You can use this to find all the Operations

        AuditLogs
        | where TimeGenerated > ago(30d)
        | summarize count() by OperationName

         

         

        The you can focus in on the results 

         

        AuditLogs
        | where TimeGenerated > ago(30d)
        | where OperationName has "Enable" //or OperationName has "User"
        | summarize count() by OperationName

         

        In maybe "Enable Account" or "Add User" you need?

        If you just need to search, then, I'd run a simple search

        AuditLogs
        | where TimeGenerated > ago(30d)
        | search "Enabled"

        I'd then search using the search feature to find that data within the returned result (you can see I typed "enable" to do that.


         




         

Resources