Forum Discussion

mmikac's avatar
mmikac
Copper Contributor
Jun 07, 2023

Logs in Sentinel show all Operation logs for external users only

Greetings all

Sentinel in Azure shows all Operation logs only for External users but not for Internal ones.

Is it because of policies or what could be the reason?

 

For example, it shows when a message is sent in Teams from an external user but not from internal.

KQL
kusto
solutions

3 Replies

Sort By
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Jun 07, 2023
    Is this the OfficeActivity table?

    If I run this example (add you email to line 3), I see both users from other companies

    OfficeActivity
    | where RecordType =~'MicrosoftTeams'
    | where UserId !endswith "yourDomain.com"

    What have you tried so far?
    • mmikac's avatar
      mmikac
      Copper Contributor
      Jun 07, 2023

      Clive_Watson 

       

      When I run your query it still shows only external users for Message Sent.

      This is OfficeActivity table.

      When I try to get all office activity that's on our tenant, Messagesent it's not visible, but when I do the same for external it is visible.

       

       

       

      • rcoodey's avatar
        rcoodey
        Copper Contributor
        Nov 29, 2023

        mmikacand Clive_Watson , we are trying to query the same OfficeActivity where Operation == 'MessageSent' and not seeing records. Seems like the same issue where only external are showing. Did you ever find a solution? Was there a setting to enable or another log they might be going to?

         

        Thanks!

Resources