Skip to content

Latest commit

 

History

History
31 lines (28 loc) · 695 Bytes

HardUserDelete.md

File metadata and controls

31 lines (28 loc) · 695 Bytes
Raw

Hunt for activities where Hard Delete user was performed

Query Information

Description

This query lists activities where a hard user delete has been performed.

Defender XDR

CloudAppEvents
| where ActionType == "Hard Delete user."
| extend DeletedUser = parse_json(RawEventData).ObjectId
| project
     Timestamp,
     ActionType,
     Application,
     InitiatingUser = AccountDisplayName,
     DeletedUser

Sentinel

CloudAppEvents
| where ActionType == "Hard Delete user."
| extend DeletedUser = parse_json(RawEventData).ObjectId
| project
     TimeGenerated,
     ActionType,
     Application,
     InitiatingUser = AccountDisplayName,
     DeletedUser