Query Details
Audit Logs Application URI Added
Query
AuditLogs
| where Category == "ApplicationManagement" and AADOperationType == "Update" //and OperationName == "Update Application" and Result == "success"
| mv-expand TargetResource = TargetResources
| mv-expand modifiedProperty = TargetResource["modifiedProperties"]
| extend ModifiedProperty = tostring(modifiedProperty["displayName"])
| where ModifiedProperty in ("AppIdentifierUri", "AppAddress")
| extend
NewAddresses = iff(ModifiedProperty == "AppIdentifierUri", todynamic(tostring(modifiedProperty["newValue"])), extract_all(@'\"Address\"\:\"([^"]+)\"', tostring(modifiedProperty["newValue"]))),
OldAddresses = iff(ModifiedProperty == "AppIdentifierUri", todynamic(tostring(modifiedProperty["oldValue"])), extract_all(@'\"Address\"\:\"([^"]+)\"', tostring(modifiedProperty["oldValue"])))
| where isnotempty(NewAddresses)
| extend AddedAddresses = set_difference(NewAddresses, OldAddresses)
| where array_length(AddedAddresses) > 0
| mv-expand AddedAddress = AddedAddresses to typeof(string)
| extend
ResourceDisplayName = tostring(TargetResource["displayName"]),
TargetResources = pack(OperationName, TargetResources)
| summarize
TimeGenerated = min(TimeGenerated),
OperationNames = make_set(OperationName),
AddedAddresses = make_set(AddedAddresses),
OldAddresses = make_set(OldAddresses),
TargetResources = make_bag(TargetResources),
take_any(LoggedByService, Category, AADOperationType, AdditionalDetails, Identity, InitiatedBy)
by CorrelationId, Result, ResourceDisplayName, ModifiedProperty, AddedAddress
| extend
Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| project
TimeGenerated,
Category,
AADOperationType,
Identity,
Initiator,
IPAddress,
OperationNames,
Result,
ResourceDisplayName,
ModifiedProperty,
AddedAddress,
AddedAddresses,
OldAddresses,
InitiatorId,
InitiatedBy,
AdditionalDetails,
TargetResources,
LoggedByService,
CorrelationId
Explanation
This query is looking at audit logs where the category is "ApplicationManagement" and the operation type is "Update". It then expands the target resources and modified properties. It specifically looks for modifications to the "AppIdentifierUri" and "AppAddress" properties.
The query then creates new fields for the new and old addresses. If the modified property is "AppIdentifierUri", it uses the new and old values directly. Otherwise, it extracts the address from the new and old values.
The query then filters out any records where the new address is empty and where there are no added addresses. It then expands the added addresses into individual records.
Next, it creates additional fields for the resource display name and target resources. It then summarizes the data by the correlation ID, result, resource display name, modified property, and added address.
The query then creates fields for the initiator, initiator ID, and IP address. Finally, it projects the desired fields into the final output.
In simpler terms, this query is looking at successful updates to application management records, specifically changes to the application's identifier URI or address. It identifies who made the change, what the change was, and other details about the operation.
Details
Jose Sebastián Canós
Released: February 9, 2023
Tables
Keywords
Operators