Audit Custom Security Attribute Set
Query
//Detect when a custom security attribute is set on a user
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where OperationName == "Update attribute values assigned to a user"
| extend x = tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].displayName)
| extend ["Attribute Value"] = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0])
| extend Target = tostring(TargetResources[0].userPrincipalName)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| parse x with * '.' ['Attribute Set Name'] "_" *
| extend ["Attribute Name"]=split(x, "_")[1]
| project
TimeGenerated,
OperationName,
Target,
['Attribute Set Name'],
['Attribute Name'],
['Attribute Value'],
ActorExplanation
This query detects when a custom security attribute is set on a user in Azure Active Directory Audit Logs. It retrieves the time of the operation, the operation name, the target user, the attribute set name, the attribute name, the attribute value, and the actor who initiated the operation.
Details

Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogsOperationNameUpdate attribute values assigned to a userTargetResourcesmodifiedPropertiesdisplayNameAttribute ValuenewValueTargetuserPrincipalNameActorInitiatedByparseAttribute Set NameAttribute NameTimeGenerated
Operators
whereextendtostringparse_jsonTargetResourcesmodifiedPropertiesdisplayNamenewValueuserPrincipalNameInitiatedByparsesplitproject