AzureActivity | summarize LastActivity = max(TimeGenerated) by ResourceProvider, ResourceGroup | join kind = innerunique( AzureActivity | summarize...
SigninLogs |whereTimeGenerated >ago(14d) |whereUserPrincipalName =="reprise_99@testdomain.com"|whereResultType =="0"|summarizeSigninCount=count()bybin(TimeGenerated,1d) |renderareachart Column charts and bar charts can also be used with time data. You will get a column or bar per time '...
| extend FirstLogonOfTheDay=TimeGenerated; SecurityEvent | where TimeGenerated between (startofday(ago(2d)) .. endofday(ago(1h))) | where AccountType == 'User' and EventID in (4634) | extend Date=format_datetime(TimeGenerated, 'dd-MM-yyyy') | summarize arg_max(TimeGenerated, *) b...
or Template but not both.Template:|-SigninLogs| where UserDisplayName == '{{user}}' or UserPrincipalName == '{{user}}' | project TimeGenerated, OperationName, UserDisplayName, UserPrincipalName, Location, ResourceDisplayName, ConditionalAccessStatus, IsInteractive | top 100 by TimeGenerated ...
or Template but not both.Template:|-SigninLogs| where UserDisplayName == '{{user}}' or UserPrincipalName == '{{user}}' | project TimeGenerated, OperationName, UserDisplayName, UserPrincipalName, Location, ResourceDisplayName, ConditionalAccessStatus, IsInteractive | top 100 by TimeGenerated ...
This query looks for all signin logs over the last 14 days, that have reprise_99@testdomain.com as the UserPrincipalname, that are successful and then returns the latest record. SigninLogs | where TimeGenerated > ago(14d) | where UserPrincipalName == "reprise_99@testdomain.com" | where...
You would get the same result with: let startTime = ago(1d); let endTime = now(); Perf | where ObjectName == "Processor" | where InstanceName == "_Total" | summarize PctCpuTime = avg(CounterValue) by Computer, bin(TimeGenerated, 1h)...
| where UserAccountControl has "PasswordNeverExpires" | summarize arg_max(TimeGenerated, *) by AccountName | project AccountName, AccountCreationTime, AccountDomain, AccountUPN, OnPremisesDistinguishedName, UserAccountControl Set the time range to go as far back as you can...
generated.runtime.Properties Microsoft.Azure.PowerShell.Cmdlets.DataBoundary.Models Microsoft.Azure.PowerShell.Cmdlets.DataBoundary.Runtime Microsoft.Azure.PowerShell.Cmdlets.DataBoundary.Runtime.Cmdlets Microsoft.Azure.PowerShell.Cmdlets.DataBoundary.Runtime.Json Microsoft.Azure.PowerShell.Cmdlets.DataBoundar...
or Template but not both.Template:|-SigninLogs| where UserDisplayName == '{{user}}' or UserPrincipalName == '{{user}}' | project TimeGenerated, OperationName, UserDisplayName, UserPrincipalName, Location, ResourceDisplayName, ConditionalAccessStatus, IsInteractive | top 100 by TimeGenerated ...