Aug 25 2021 08:08 AM
Hi Community,
Help me out how to get all the logs for an user in sentinel. I was using the below quire but it is not written the expected results
UserAccessAnalytics
| where SourceEntityName == user email address.
Thanks,
Kishore
Aug 25 2021 11:11 AM
Hi @kishore_soc,
Try this command,
search "user email address"
This will give you all the logs for a specific user from all tables.
Aug 31 2021 06:05 AM
search "name"
| summarize count() by Type
// type will list the tables that are matched, in my example this finds name in the table "LAQueryLogs", so now use that, in the next query
LAQueryLogs
| where AADEmail == "name"
// or just get the last record in each Table
search "name"
| summarize arg_max(TimeGenerated,*) by Type