Audit Show What Actionstookplacefromwhich App Or User
Query
// Audit Actions
IntuneAuditLogs
| parse Properties with * ',"TargetDisplayNames":["' Object '"],' *
| where Object != ""
| extend User = todynamic(Properties).Actor.UPN
| extend ['Azure Application'] = todynamic(Properties).Actor.ApplicationName
| extend DeviceID = replace_regex(tostring(todynamic(Properties).TargetObjectIds), @'["\[\]]', "")
| project OperationName, DeviceID, ['Task'] = Object, ['Azure Application'], UserExplanation
This query is pulling data from the IntuneAuditLogs, specifically focusing on the 'Properties' field. It is looking for any instances where the 'Object' field is not empty. It then creates new fields for 'User', 'Azure Application', and 'DeviceID' by extracting specific information from the 'Properties' field. The 'DeviceID' field specifically is cleaned up by removing any square brackets or quotation marks. Finally, it displays the results with the columns 'OperationName', 'DeviceID', 'Task', 'Azure Application', and 'User'. The 'Task' column is essentially the 'Object' field from the original data.
Details

Ugur Koc
Released: July 8, 2022
Tables
IntuneAuditLogs
Keywords
IntuneAuditLogsPropertiesObjectUserAzure ApplicationDeviceIDOperationNameTask
Operators
IntuneAuditLogsparsewhereextendtodynamicreplace_regextostringproject