Forum Discussion
JonPerry
Jul 14, 2022Copper Contributor
Kusto Query for terminated or disabled employees from AD
Does anyone have a query from AD on how to the terminated or disabled employees?
Thank you,
Jon
- Clive_WatsonBronze Contributor
To see if a User was deleted try this to get you going:
AuditLogs | where TimeGenerated > ago(30d) | where OperationName =="Delete user" //| where TargetResources contains "< a person's name >" | summarize arg_max(TimeGenerated,ActivityDisplayName, Result)
Note: only the last record is shown, and two columns - remove or amend the last line if you need to see more/less
- JonPerryCopper ContributorHi Clive_Watson
That is helpful but is there way to search a log for the "Enabled" parameter in AD.
Thank you- Clive_WatsonBronze Contributor
JonPerry You can use this to find all the Operations
AuditLogs | where TimeGenerated > ago(30d) | summarize count() by OperationName
The you can focus in on the results
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName has "Enable" //or OperationName has "User"
| summarize count() by OperationNameIn maybe "Enable Account" or "Add User" you need?
If you just need to search, then, I'd run a simple search
AuditLogs
| where TimeGenerated > ago(30d)
| search "Enabled"
I'd then search using the search feature to find that data within the returned result (you can see I typed "enable" to do that.