How to get all logs for a specific user in sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2683943%22%20slang%3D%22en-US%22%3EHow%20to%20get%20all%20logs%20for%20a%20specific%20user%20in%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2683943%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHelp%20me%20out%20how%20to%20get%20all%20the%20logs%20for%20an%20user%20in%20sentinel.%20I%20was%20using%20the%20below%20quire%20but%20it%20is%20not%20written%20the%20expected%20results%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUserAccessAnalytics%3CBR%20%2F%3E%7C%20where%20SourceEntityName%20%3D%3D%26nbsp%3B%20user%20email%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EKishore%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2684795%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20get%20all%20logs%20for%20a%20specific%20user%20in%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2684795%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1120351%22%20target%3D%22_blank%22%3E%40kishore_soc%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETry%20this%20command%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3Esearch%20%22user%20email%20address%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20give%20you%20all%20the%20logs%20for%20a%20specific%20user%20from%20all%20tables.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2702616%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20get%20all%20logs%20for%20a%20specific%20user%20in%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2702616%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F407706%22%20target%3D%22_blank%22%3E%40deshantshukla%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Esearch%20%22name%22%0A%7C%20summarize%20count()%20by%20Type%0A%2F%2F%20type%20will%20list%20the%20tables%20that%20are%20matched%2C%20in%20my%20example%20this%20finds%20name%20in%20the%20table%20%22LAQueryLogs%22%2C%20so%20now%20use%20that%2C%20in%20the%20next%20query%0A%0ALAQueryLogs%0A%7C%20where%20AADEmail%20%3D%3D%20%22name%22%0A%0A%2F%2F%20or%20just%20get%20the%20last%20record%20in%20each%20Table%0Asearch%20%22name%22%20%20%0A%7C%20summarize%20arg_max(TimeGenerated%2C*)%20by%20Type%0A%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Community,

 

Help me out how to get all the logs for an user in sentinel. I was using the below quire but it is not written the expected results

 

UserAccessAnalytics
| where SourceEntityName ==  user email address.

 

Thanks,

Kishore

2 Replies

Hi @kishore_soc,

 

Try this command, 

 

search "user email address"

 

This will give you all the logs for a specific user from all tables. 

@deshantshukla 

search "name"
| summarize count() by Type
// type will list the tables that are matched, in my example this finds name in the table "LAQueryLogs", so now use that, in the next query

LAQueryLogs
| where AADEmail == "name"

// or just get the last record in each Table
search "name"  
| summarize arg_max(TimeGenerated,*) by Type