Query Details
Audit Logs Azure AD Unusual Operation
Query
AuditLogs
| where case(
OperationName has_any ("domain"), true,
LoggedByService == "AAD Management UX" and Category == "Policy", true,
LoggedByService == "Authentication Methods" and Category == "ApplicationManagement", true,
false
)
| extend
Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"]))
| project
TimeGenerated,
Category,
AADOperationType,
OperationName,
Result,
TargetResources,
Initiator,
InitiatorId,
InitiatedBy,
AdditionalDetails,
CorrelationId
Explanation
This query is looking at audit logs and filtering them based on certain conditions. It checks if the operation name contains "domain", if the service that logged the event is "AAD Management UX" and the category is "Policy", or if the service is "Authentication Methods" and the category is "ApplicationManagement".
If any of these conditions are met, the log is included in the results.
The query then adds two new fields to the results: 'Initiator' and 'InitiatorId'. The 'Initiator' field is filled with the display name of the app that initiated the event, or if there is no app, the user's principal name. The 'InitiatorId' field is filled with the service principal id of the app, or if there is no app, the user's id.
Finally, the query selects specific fields to display in the results: the time the event was generated, the category, the operation type, the operation name, the result, the target resources, the initiator, the initiator id, who initiated the event, any additional details, and the correlation id.
Details
Jose Sebastián Canós
Released: May 25, 2023
Tables
Keywords
Operators