Forum Discussion
Kusto Query for terminated or disabled employees from AD
Does anyone have a query from AD on how to the terminated or disabled employees? Thank you, Jon
To see if a User was deleted try this to get you going:
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName =="Delete user"
//| where TargetResources contains "< a person's name >"
| summarize arg_max(TimeGenerated,ActivityDisplayName, Result)
Note: only the last record is shown, and two columns - remove or amend the last line if you need to see more/less
Hi Clive_Watson
That is helpful but is there way to search a log for the "Enabled" parameter in AD.
Thank you
That is helpful but is there way to search a log for the "Enabled" parameter in AD.
Thank you