This would be a very helpful feature. Due to the volume of log data, I don’t think this can be done easily and the horrible compressed json format Microsoft limits us to when exporting unified audit logs as csv’s for that specific column of data. I’m sure it’s possible in Excel or PowerShell but may not be worth the time and effort. It is much faster to export the csv and filter by operation as this is separated by default for ease of identifying unauthorized account activities, then traversing the audit data field as needed or searching the entire file for keywords or IPs.

I have not had much success parsing these json fields due to the odd format and delimiters used. Huntress seems to use “=>” in place of “:” as a delimiter as well but it may still be possible to achieve the results desired with Excel via custom scripting or PowerShell but will take some time.