Query Details
Audit Show What Actionstookplacefromwhich App Or User
Query
// Audit Actions IntuneAuditLogs | parse Properties with * ',"TargetDisplayNames":["' Object '"],' * | where Object != "" | extend User = todynamic(Properties).Actor.UPN | extend ['Azure Application'] = todynamic(Properties).Actor.ApplicationName | extend DeviceID = replace_regex(tostring(todynamic(Properties).TargetObjectIds), @'["\[\]]', "") | project OperationName, DeviceID, ['Task'] = Object, ['Azure Application'], User
Explanation
This query is pulling data from the IntuneAuditLogs, specifically focusing on the 'Properties' field. It is looking for any instances where the 'Object' field is not empty. It then creates new fields for 'User', 'Azure Application', and 'DeviceID' by extracting specific information from the 'Properties' field. The 'DeviceID' field specifically is cleaned up by removing any square brackets or quotation marks. Finally, it displays the results with the columns 'OperationName', 'DeviceID', 'Task', 'Azure Application', and 'User'. The 'Task' column is essentially the 'Object' field from the original data.
Details
Ugur Koc
Released: July 8, 2022
Tables
IntuneAuditLogs
Keywords
IntuneAuditLogs,Properties,Object,User,AzureApplication,DeviceID,OperationName,Task
Operators
IntuneAuditLogsparsewhereextendtodynamicreplace_regextostringproject