Kusto Query Language (KQL)
Synopsis: A collection of KQL queries. This is a working document. .
Published November 12, 2025
Last Modified: November 12th, 2025
Intro: KQL queries used for custom Azure Workbooks. This section should be limited to just the KQL examples and will not go over Log Analytic Workspaces / Azure Monitor.
2.) Place Holder
Published November 12, 2025
Last Modified: November 12th, 2025
Intro: KQL queries used for custom Azure Workbooks. This section should be limited to just the KQL examples and will not go over Log Analytic Workspaces / Azure Monitor.
Quick Run Down
1.) SharePoint Permission Changes - Admin Activities2.) Place Holder
SharePoint Permissions
OfficeActivity
| where TimeGenerated > ago(30d)
| where OfficeWorkload in ('SharePoint')
| where RecordType in ("SharePointSharingOperation","SharePoint")
| where Operation !in("PageViewed","PagePrefetched","SearchQueryPerformed")
| where Operation !in("SecureLinkUsed","SharingLinkUsed","CompanyLinkCreated")
| where Operation !in("ClientViewSignaled","PageViewedExtended","SiteAccessWithCustomScripts")
| where Operation !in("SignInEvent","FileMoved","FolderMoved")
| where UserId !in ("app@sharepoint","SHAREPOINT\\system")
| project TimeGenerated, UserId, ClientIP, Operation, Site_Url_,SourceRelativeUrl, TargetUserOrGroupName
| sort by TimeGenerated desc
User Management Logs
AuditLogs
| where TimeGenerated > ago(30d)
| where Category == "UserManagement"
| where ActivityDisplayName !in("Update StsRefreshTokenValidFrom Timestamp","Update PasswordProfile")
| extend InitiatedBy = InitiatedBy.user.userPrincipalName
| mv-expand TargetResources
| project TimeGenerated, InitiatedBy,ActivityDisplayName,TargetUser = TargetResources.userPrincipalName
| sort by TimeGenerated desc