Query Details
Audit App Proxy Setto Pass Through
Query
//Alert when an application using Azure AD app proxy is set to pass through as it's pre-auth setting AuditLogs | where LoggedByService == "Application Proxy" | where OperationName == "Update application" | where Result == "success" | extend PreAuthSetting = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))) | where PreAuthSetting == "Passthru" | extend ['App Display Name'] = tostring(TargetResources[0].displayName) | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project TimeGenerated, PreAuthSetting, ['App Display Name'], Actor, ['Actor IP Address']
Explanation
This query looks for audit logs related to applications using Azure AD app proxy. It filters for successful updates to the application's settings and specifically looks for applications with the pre-authentication setting set to "Passthru". It then extracts and displays the time the log was generated, the pre-authentication setting, the display name of the application, the user who initiated the update, and their IP address.
Details
Matt Zorich
Released: July 30, 2022
Tables
AuditLogsTargetResourcesInitiatedBy
Keywords
AuditLogs,LoggedByService,OperationName,Result,TargetResources,modifiedProperties,newValue,PreAuthSetting,AppDisplayName,Actor,InitiatedBy.user,userPrincipalName,ipAddress,TimeGenerated
Operators
where|==extendtostringparse_json[0]newValueproject