Mar 08 2022 05:08 PM - edited Mar 08 2022 05:12 PM
I am trying to write a query that will output results of audit logs for external users added to AAD outside of work hours. Below is the query I currently have but it isn't giving me the results I want. What am I missing?
AuditLogs
| where OperationName == "Invite external user"
| where TimeGenerated !between (datetime(06:00:00) .. datetime(23:00:00))
Mar 08 2022 08:56 PM
SolutionWhen you specify just time in a datetime value it implicitly means "Today at hh:mm:ss", so your query searches for any log that is not between "Today 06:00 and Today 23:00".
Maybe you want something like this?
AuditLogs
| where OperationName == "Invite external user"
| where hourofday(TimeGenerated) !between (6 .. 22)
Mar 08 2022 09:56 PM
Mar 09 2022 04:27 AM
Mar 08 2022 08:56 PM
SolutionWhen you specify just time in a datetime value it implicitly means "Today at hh:mm:ss", so your query searches for any log that is not between "Today 06:00 and Today 23:00".
Maybe you want something like this?
AuditLogs
| where OperationName == "Invite external user"
| where hourofday(TimeGenerated) !between (6 .. 22)