Query Details
Audit New Tenant Created
Query
//Find when a new Azure AD tenant is created by a user in your tenant //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where OperationName == "Create Company" | where Result == "success" | extend Type = tostring(TargetResources[0].type) | where Type == "Directory" | extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ['New Tenant Id'] = tostring(TargetResources[0].id) | project TimeGenerated, OperationName, Actor, ['Actor IP Address'], ['New Tenant Id']
Explanation
This query is used to find when a new Azure AD tenant is created by a user in your tenant. It requires the Azure Active Directory - Audit Logs data connector. The query filters the audit logs for the "Create Company" operation with a "success" result. It then extracts the type of the target resource and filters for "Directory" type. It also extracts the IP address and user principal name of the user who initiated the creation. Finally, it projects the time generated, operation name, actor (user who initiated), actor IP address, and the new tenant ID.
Details
Matt Zorich
Released: December 8, 2022
Tables
AuditLogs
Keywords
AuditLogs,OperationName,Result,TargetResources,Type,InitiatedBy,ActorIPAddress,Actor,NewTenantId,TimeGenerated
Operators
where==|extendtostringparse_json.project