Skip to content

Latest commit

 

History

History
29 lines (26 loc) · 593 Bytes

File metadata and controls

29 lines (26 loc) · 593 Bytes

Hunt for activities where Hard Delete user was performed


Defender For Endpoint

CloudAppEvents
| where ActionType == "Hard Delete user."
| extend DeletedUser = parse_json(RawEventData).ObjectId
| project
     Timestamp,
     ActionType,
     Application,
     InitiatingUser = AccountDisplayName,
     DeletedUser

Sentinel

CloudAppEvents
| where ActionType == "Hard Delete user."
| extend DeletedUser = parse_json(RawEventData).ObjectId
| project
     TimeGenerated,
     ActionType,
     Application,
     InitiatingUser = AccountDisplayName,
     DeletedUser