Forum Discussion
Terminated User Logons in Sentinel Query
Hello, Looking for a Query that will search within Sentinel for the last logon attempt for ALL terminated users over the past 11 months, please.
Brad_Hill - You need to store the list terminated employees and the use the below query let list_of_terminated_employeed = dynamic(['email address removed for privacy reasons','email address removed for privacy reasons']); SigninLogs | where TimeGenerated >ago(365d) | summarize arg_max(TimeGenerated,*) by UserPrincipalName | where UserPrincipalName has_any (list_of_terminated_employeed) And you need to ensure that the Microsoft Sentinel Workspace has the retention for the time period you are looking for,
Thank you Samikroy, my apologies for just now seeing this answer.
