![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 87%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Hello @Peter Snydert ,
I Understand you need help to create KQL query to find out when and who created a new user.
Here is the KQL query which can help you to achieve your ask.
AuditLogs
| where OperationName == "Add user"
| project TimeGenerated, InitiatedBy = tostring(InitiatedBy.user.userPrincipalName),
CreatedUser = tostring(TargetResources[0].userPrincipalName),
CreatedUserDisplayName = tostring(TargetResources[0].displayName),
ActivityDisplayName
| sort by TimeGenerated desc
I have tested the same in my tenant and is working as expected. Let me know if you have any further questions feel free to post back. Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
