Query Details
Audit Redirect URI Changed
Query
//Alert when the redirect URI list is changed for a service principal //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where OperationName == "Update service principal" | mv-expand TargetResources | extend modifiedProperties = parse_json(TargetResources).modifiedProperties | mv-expand modifiedProperties | where modifiedProperties.displayName == "AppAddress" | extend newValue = tostring(parse_json(modifiedProperties).newValue) | mv-expand todynamic(newValue) | extend RedirectURI = tostring(newValue.Address) | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ['Service Principal Name'] = tostring(TargetResources.displayName) | summarize ['List of Redirect URIs']=make_list(RedirectURI) by Actor, ['Service Principal Name']
Explanation
This query looks for changes in the redirect URI list for a service principal. It uses the Azure Active Directory - Audit Logs data connector. It filters the audit logs for "Update service principal" operations and expands the TargetResources field. It then extracts the modifiedProperties field and filters for those with a displayName of "AppAddress". It extracts the newValue field and expands it to a dynamic type. It extracts the Address field from the dynamic type and renames it as RedirectURI. It also extracts the userPrincipalName from the InitiatedBy field and renames it as Actor. Finally, it summarizes the list of RedirectURIs by Actor and Service Principal Name.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogs,OperationName,Updateserviceprincipal,TargetResources,modifiedProperties,displayName,AppAddress,newValue,Address,InitiatedBy.user,userPrincipalName,RedirectURI,Actor,ServicePrincipalName,ListofRedirectURIs
Operators
wheremv-expandextendparse_jsontostringsummarizeby