Kusto Query for terminated or disabled employees from AD

Copper Contributor

Does anyone have a query from AD on how to the terminated or disabled employees?


Thank you,


6 Replies



To see if a User was deleted try this to get you going:


| where TimeGenerated > ago(30d)
| where OperationName =="Delete user"
//| where TargetResources contains "< a person's name >"
| summarize arg_max(TimeGenerated,ActivityDisplayName, Result)



Note: only the last record is shown, and two columns - remove or amend the last line if you need to see more/less 

Hi @Clive_Watson
That is helpful but is there way to search a log for the "Enabled" parameter in AD.
Thank you

@JonPerry You can use this to find all the Operations

| where TimeGenerated > ago(30d)
| summarize count() by OperationName




The you can focus in on the results 


| where TimeGenerated > ago(30d)
| where OperationName has "Enable" //or OperationName has "User"
| summarize count() by OperationName


In maybe "Enable Account" or "Add User" you need?

If you just need to search, then, I'd run a simple search

| where TimeGenerated > ago(30d)
| search "Enabled"

I'd then search using the search feature to find that data within the returned result (you can see I typed "enable" to do that.




Great, thank you very much.
I would like to take the values from the Target Resources -> modifiedProperties -> newvalue -> [true]. I tried using extend IHUserOld=substring(TargetResources, 218, 10) but the offset is not consistent. So the first event works but the next will be off. Do you know away to clean up the new column to just show disabled or enabled. Thanks
You could grab the whole newValue

//| where TimeGenerated > ago(2d)
| extend modifiedProperties_ = tostring(parse_json(tostring(TargetResources[0].modifiedProperties)))
| extend newValue_ = tostring(parse_json(modifiedProperties_)[0].newValue)
| summarize count() by newValue_

and/or maybe look at: https://docs.microsoft.com/en-gb/azure/data-explorer/kusto/query/parseoperator