Forum Discussion
Kusto Query for terminated or disabled employees from AD
Does anyone have a query from AD on how to the terminated or disabled employees? Thank you, Jon
To see if a User was deleted try this to get you going:
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName =="Delete user"
//| where TargetResources contains "< a person's name >"
| summarize arg_max(TimeGenerated,ActivityDisplayName, Result)
Note: only the last record is shown, and two columns - remove or amend the last line if you need to see more/less
Hi Clive_Watson
That is helpful but is there way to search a log for the "Enabled" parameter in AD.
Thank you
That is helpful but is there way to search a log for the "Enabled" parameter in AD.
Thank you
JonPerry You can use this to find all the Operations
AuditLogs | where TimeGenerated > ago(30d) | summarize count() by OperationNameThe you can focus in on the results
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName has "Enable" //or OperationName has "User"
| summarize count() by OperationNameIn maybe "Enable Account" or "Add User" you need?
If you just need to search, then, I'd run a simple search
AuditLogs
| where TimeGenerated > ago(30d)
| search "Enabled"
I'd then search using the search feature to find that data within the returned result (you can see I typed "enable" to do that.- Great, thank you very much.
- I would like to take the values from the Target Resources -> modifiedProperties -> newvalue -> [true]. I tried using extend IHUserOld=substring(TargetResources, 218, 10) but the offset is not consistent. So the first event works but the next will be off. Do you know away to clean up the new column to just show disabled or enabled. Thanks