Queries for the WindowsEvent table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

WindowsEvent Audit Policy Events

Display events where audits were cleared (EventId = 1102) or changed (EventId = 4719).

WindowsEvent
| where Provider == 'Microsoft-Windows-Security-Auditing' 
| where EventID == 1102 or EventID == 4719
| extend DescriptionMessage = iff(EventID == 1102, 'Audit log was cleared', 'System audit policy was changed')
| take 100