Get Windows LAPS Password retrieval events

LAPS.kql

AuditLogs 
| where TimeGenerated > ago(360d)
| where OperationName == 'Recover device local administrator password'
| mv-expand TargetResources
| extend DeviceName = TargetResources.displayName
| extend Actor = InitiatedBy.user.userPrincipalName
| extend DeviceId = TargetResources.id
| project TimeGenerated, ActivityDisplayName, Actor, DeviceName, DeviceId