Query Details
Audit Detect Credential Addedto App
Query
//Detect when a new credential is added to an Azure AD application registration //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where OperationName has "Update application – Certificates and secrets management" | extend ApplicationName = tostring(TargetResources[0].displayName) | extend ApplicationObjectId = tostring(TargetResources[0].id) | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ActorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project TimeGenerated, ApplicationName, ApplicationObjectId, Actor, ActorIPAddress
Explanation
This query is used to detect when a new credential is added to an Azure AD application registration. It requires the Azure Active Directory - Audit Logs data connector. The query filters the audit logs for the operation "Update application – Certificates and secrets management". It then extracts the application name, object ID, actor (user who made the change), and actor's IP address. The results are projected to include the time generated, application name, object ID, actor, and actor's IP address.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogs,OperationName,Updateapplication–Certificatesandsecretsmanagement,TargetResources,displayName,id,Actor,InitiatedBy.user,userPrincipalName,ipAddress,TimeGenerated
Operators
wherehasextendtostringparse_jsonproject