How to get all logs for a specific user in sentinel

Question

Hi Community,&nbsp;Help me out how to get all the logs for an user in sentinel. I was using the below quire but it is not written the expected results&nbsp;UserAccessAnalytics| where SourceEntityName ==&nbsp; user email address.&nbsp;Thanks,Kishore

deshantshukla · Answer

Hi&nbsp;kishore_soc,&nbsp;Try this command,&nbsp;&nbsp;search "user email address"&nbsp;This will give you all the logs for a specific user from all tables.&nbsp;

clivewatson · Answer

deshantshukla&nbsp;
search "name"
| summarize count() by Type
// type will list the tables that are matched, in my example this finds name in the table "LAQueryLogs", so now use that, in the next query

LAQueryLogs
| where AADEmail == "name"

// or just get the last record in each Table
search "name"  
| summarize arg_max(TimeGenerated,*) by Type

jose sisto · Answer

It worked pretty well

Forum Discussion

How to get all logs for a specific user in sentinel

3 Replies

Resources