KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Logs Changesto Application Ownership

Query

AuditLogs
| where LoggedByService == "Core Directory" and Category == "ApplicationManagement" and OperationName has "owner"
| mv-apply modifiedProperty = TargetResources[0]["modifiedProperties"] on (
    summarize modifiedProperties = make_bag(
        bag_pack(tostring(modifiedProperty["displayName"]),
            bag_pack("oldValue", trim(@'[\"\s]+', tostring(modifiedProperty["oldValue"])),
                "newValue", trim(@'[\"\s]+', tostring(modifiedProperty["newValue"])))))
    )
| extend
    OwnerId = TargetResources[0]["id"],
    Owner = TargetResources[0]["userPrincipalName"],
    AppDisplayName = tostring(modifiedProperties[case(OperationName has "application", "Application.DisplayName", OperationName has "service principal", "ServicePrincipal.DisplayName", "")][case(AADOperationType == "Assign", "newValue", AADOperationType == "Unassign", "oldValue", "")]),
    AppId = tostring(modifiedProperties[case(OperationName has "application", "Application.AppId", OperationName has "service principal", "ServicePrincipal.AppId", "")]["newValue"]),
    Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
    InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
    IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| project
    TimeGenerated,
    Identity,
    Initiator,
    IPAddress,
    OperationName,
    Owner,
    AppDisplayName,
    InitiatedBy,
    AdditionalDetails,
    TargetResources,
    InitiatorId,
    OwnerId,
    AppId,
    CorrelationId

Explanation

This query is looking at audit logs where the service logged is "Core Directory", the category is "ApplicationManagement", and the operation name includes "owner". It then extracts the modified properties of the first target resource.

The query creates a bag (a type of collection) of these modified properties, including the display name, old value, and new value. It also trims any extra spaces or quotation marks from the old and new values.

Next, the query adds additional fields to the output, including the owner's ID and name, the application's display name and ID, and details about who initiated the action. If the initiator was an application, it uses the application's display name and service principal ID. If the initiator was a user, it uses the user's principal name and ID. It also includes the initiator's IP address.

Finally, the query selects specific fields to display in the output, including the time the action was logged, the identity, the initiator, the IP address, the operation name, the owner, the application's display name, who initiated the action, any additional details, the target resources, the initiator's ID, the owner's ID, the application's ID, and the correlation ID.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 14, 2023

Tables

AuditLogs

Keywords

AuditLogs,CoreDirectory,ApplicationManagement,Owner,ModifiedProperty,TargetResources,DisplayName,OldValue,NewValue,OwnerId,UserPrincipalName,AppDisplayName,Application,ServicePrincipal,AADOperationType,Assign,Unassign,AppId,Initiator,InitiatedBy,IPAddress,TimeGenerated,Identity,AdditionalDetails,CorrelationId

Operators

AuditLogswheremv-applysummarizemake_bagbag_packtostringtrimextendcaseiifisnotemptytostringproject

Actions