KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Logs Conditional Access Configuration Modified

Query

AuditLogs
| where LoggedByService == "Conditional Access"// and Category == "Policy" and Result == "success"
| extend
    Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
    InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
    IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| mv-expand TargetResource = TargetResources
| extend
    ResourceName = tostring(TargetResource["displayName"]),
    ResourceType = tostring(TargetResource["modifiedProperties"][0]["displayName"]),
    ResourceOldValue = TargetResource["modifiedProperties"][0]["oldValue"],
    ResourceNewValue = TargetResource["modifiedProperties"][0]["newValue"]
| project
    TimeGenerated,
    Category,
    Initiator,
    IPAddress,
    OperationName,
    Result,
    ResourceType,
    ResourceName,
    ResourceOldValue,
    ResourceNewValue,
    InitiatedBy,
    AdditionalDetails,
    TargetResources,
    LoggedByService,
    InitiatorId,
    CorrelationId

Explanation

This query is looking at audit logs where the service that logged the event is "Conditional Access". It is specifically looking at events where the category is "Policy" and the result was a "success".

The query then creates new fields for the initiator of the event, the initiator's ID, and the IP address from which the event was initiated. If the event was initiated by an app, it uses the app's display name and service principal ID. If the event was initiated by a user, it uses the user's principal name and ID.

The query also expands the target resources and creates new fields for the resource's name, type, and the old and new values of the first modified property of the resource.

Finally, the query selects and displays the following fields: the time the event was generated, the category, the initiator, the IP address, the operation name, the result, the resource type, the resource name, the old and new values of the resource, who initiated the event, any additional details, the target resources, the service that logged the event, the initiator's ID, and the correlation ID.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: August 17, 2023

Tables

AuditLogs

Keywords

AuditLogs,ConditionalAccess,Policy,Success,Initiator,InitiatorId,IPAddress,TargetResource,ResourceName,ResourceType,ResourceOldValue,ResourceNewValue,TimeGenerated,Category,OperationName,Result,InitiatedBy,AdditionalDetails,TargetResources,LoggedByService,CorrelationId

Operators

AuditLogswhereextendiifisnotemptytostringmv-expandproject

Actions