I have used the below query to find out user accounts which were disabled and then enabled after 30 days in AD. index=* host="o365:ms" (Operation="Enable account." OR Operation="Disable account.") earliest=-30d object_id="*@domain.com" | stats stats values(_time) as times earliest(Operation) as firstEvent latest(Operation) as lastEvent by username | replace "Enable account." with "enabled" in firstEvent, lastEvent | replace "Disable account." with "disabled" in firstEvent, lastEvent | search firstEvent="disabled" AND lastEvent="enabled" |table firstEvent lastEvent ObjectId |convert ctime(times) Its not giving me the desired results. Can someone help me in resolving this?
... View more