Query Details
Audit Logs Azure AD B2C Settings Modified
Query
AuditLogs
| where LoggedByService == "B2C" and OperationName has_any ("B2C", "CIAM", "Guest Usages") and OperationName has_any ("Create", "Update", "Delete")
| extend
Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| project
TimeGenerated,
Category,
Initiator,
IPAddress,
OperationName,
Result,
InitiatedBy,
AdditionalDetails,
TargetResources,
LoggedByService,
InitiatorId,
CorrelationId
Explanation
This query is looking at audit logs where the service logged is "B2C" and the operation name includes either "B2C", "CIAM", or "Guest Usages" and also includes either "Create", "Update", or "Delete".
It then extends the data to include the initiator of the operation, which could be either an app or a user, and the initiator's ID. It also includes the IP address from which the operation was initiated.
The query then projects, or selects, specific fields to display in the output. These fields include the time the operation was generated, the category, the initiator, the IP address, the operation name, the result, who initiated the operation, any additional details, the target resources, the service that logged the operation, the initiator's ID, and the correlation ID.
Details
Jose Sebastián Canós
Released: May 24, 2023
Tables
Keywords
Operators