KQL Search

Query Details

Audit New Domain Added

Query

//Detect when an admin adds a new unverified or verified domain into your Azure AD tenant

//Data connector required for this query - Azure Active Directory - Audit Logs

AuditLogs
| where OperationName in ("Add verified domain", "Add unverified domain")
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend Domain = tostring(TargetResources[0].displayName)
| project TimeGenerated, OperationName, Actor, ['Actor IP Address'], Domain

Explanation

This query detects when an admin adds a new unverified or verified domain to your Azure AD tenant. It uses the Azure Active Directory - Audit Logs data connector. The query retrieves the time the action was generated, the operation name, the actor (admin) who initiated the action, their IP address, and the domain that was added.

Details

Matt Zorich

Released: June 20, 2022

Tables

AuditLogs

Keywords

AuditLogs,OperationName,Addverifieddomain,Addunverifieddomain,InitiatedBy.user,userPrincipalName,ipAddress,TargetResources,displayName,TimeGenerated

Operators

whereinextendtostringparse_jsonproject

KQL Search

Audit New Domain Added

Query

Explanation

Details

Actions