Forum Discussion

JonPerry's avatar
JonPerry
Copper Contributor
Jul 14, 2022

Kusto Query for terminated or disabled employees from AD

Does anyone have a query from AD on how to the terminated or disabled employees?   Thank you, Jon
KQL
kusto
siem
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jul 14, 2022

JonPerry 

 

To see if a User was deleted try this to get you going:

 

AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName =="Delete user"
//| where TargetResources contains "< a person's name >"
| summarize arg_max(TimeGenerated,ActivityDisplayName, Result)

 

Note: only the last record is shown, and two columns - remove or amend the last line if you need to see more/less 

  • JonPerry's avatar
    JonPerry
    Copper Contributor
    Jul 14, 2022
    Hi Clive_Watson
    That is helpful but is there way to search a log for the "Enabled" parameter in AD.
    Thank you
    • Clive_Watson's avatar
      Clive_Watson
      Bronze Contributor
      Jul 15, 2022

      JonPerry You can use this to find all the Operations

      AuditLogs
| where TimeGenerated > ago(30d)
| summarize count() by OperationName

       

       

      The you can focus in on the results 

       

      AuditLogs
      | where TimeGenerated > ago(30d)
      | where OperationName has "Enable" //or OperationName has "User"
      | summarize count() by OperationName

       

      In maybe "Enable Account" or "Add User" you need?

      If you just need to search, then, I'd run a simple search

      AuditLogs
      | where TimeGenerated > ago(30d)
      | search "Enabled"

      I'd then search using the search feature to find that data within the returned result (you can see I typed "enable" to do that.


       




       

      • JonPerry's avatar
        JonPerry
        Copper Contributor
        Jul 15, 2022
        Great, thank you very much.

Resources