Jul 14 2022 09:14 AM
Does anyone have a query from AD on how to the terminated or disabled employees?
Thank you,
Jon
Jul 14 2022 10:24 AM
To see if a User was deleted try this to get you going:
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName =="Delete user"
//| where TargetResources contains "< a person's name >"
| summarize arg_max(TimeGenerated,ActivityDisplayName, Result)
Note: only the last record is shown, and two columns - remove or amend the last line if you need to see more/less
Jul 14 2022 12:13 PM
Jul 15 2022 01:06 AM
@JonPerry You can use this to find all the Operations
AuditLogs
| where TimeGenerated > ago(30d)
| summarize count() by OperationName
The you can focus in on the results
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName has "Enable" //or OperationName has "User"
| summarize count() by OperationName
In maybe "Enable Account" or "Add User" you need?
If you just need to search, then, I'd run a simple search
AuditLogs
| where TimeGenerated > ago(30d)
| search "Enabled"
I'd then search using the search feature to find that data within the returned result (you can see I typed "enable" to do that.
Jul 15 2022 07:51 AM
Jul 15 2022 11:33 AM
Jul 16 2022 12:24 AM