KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Named Locations Changed

Query

//Detect when Azure AD Named Locations are changed (either IP or Country) and retrieve the current list 

//Data connector required for this query - Azure Active Directory - Audit Logs

let updatedip=
    AuditLogs
    | where OperationName == "Update named location"
    | mv-expand TargetResources
    | extend modifiedProperties = parse_json(TargetResources).modifiedProperties
    | mv-expand modifiedProperties  
    | extend newValue = tostring(parse_json(modifiedProperties).newValue)
    | mv-expand todynamic(newValue)
    | extend ipRanges = tostring(parse_json(newValue).ipRanges)
    | mv-expand todynamic(ipRanges) 
    | extend cidr = tostring(ipRanges.cidrAddress)
    | where isnotempty(cidr)
    | extend ['Named Location name'] = tostring(TargetResources.displayName)
    | summarize ['IP List']=make_list(cidr) by ['Named Location name'];
let updatedcountries=
    AuditLogs
    | where OperationName == "Update named location"
    | mv-expand TargetResources
    | extend modifiedProperties = parse_json(TargetResources).modifiedProperties
    | mv-expand modifiedProperties  
    | extend newValue = tostring(parse_json(modifiedProperties).newValue)
    | extend countriesAndRegions = tostring(parse_json(newValue).countriesAndRegions)
    | mv-expand todynamic(countriesAndRegions) 
    | where isnotempty(countriesAndRegions)
    | extend ['Named Location name'] = tostring(TargetResources.displayName)
    | summarize ['Country List']=make_list(countriesAndRegions) by ['Named Location name'];
union updatedip, updatedcountries

Explanation

This query detects when Azure AD Named Locations are changed, either in terms of IP or country. It retrieves the current list of named locations that have been updated. The query uses the Azure Active Directory - Audit Logs data connector. It first retrieves the updated IP ranges for each named location and then retrieves the updated countries and regions for each named location. The results are then combined to provide a summary of the updated named locations, including the IP list and country list for each.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AuditLogsTargetResources

Keywords

AzureAD,NamedLocations,IP,Country,AuditLogs,Updatenamedlocation,TargetResources,modifiedProperties,newValue,ipRanges,cidrAddress,displayName,countriesAndRegions,make_list,union

Operators

wheremv-expandextendparse_jsontostringisnotemptysummarizemake_listbyunion

Actions