Audit Logs Cross Tenant Access Settings Modified
Query
AuditLogs
| where Category == "CrossTenantAccessSettings" or OperationName has "cross-tenant"
| extend
Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| project
TimeGenerated,
Category,
Initiator,
IPAddress,
OperationName,
Result,
InitiatedBy,
AdditionalDetails,
TargetResources,
LoggedByService,
InitiatorId,
CorrelationIdExplanation
This query is searching through audit logs for entries where the category is "CrossTenantAccessSettings" or the operation name includes "cross-tenant". It then creates new columns for the initiator (either an app or a user), the initiator's ID, and the IP address associated with the initiator.
The query then selects and displays the following information: the time the log was generated, the category, the initiator, the IP address, the operation name, the result, who initiated the action, any additional details, the target resources, the service that logged the action, the initiator's ID, and the correlation ID.
Details

Jose Sebastián Canós
Released: August 1, 2023
Tables
AuditLogs
Keywords
AuditLogsCrossTenantAccessSettingsOperationNameInitiatorInitiatorIdIPAddressTimeGeneratedCategoryResultInitiatedByAdditionalDetailsTargetResourcesLoggedByServiceCorrelationId
Operators
AuditLogswhereCategory=="CrossTenantAccessSettings"orOperationNamehas"cross-tenant"extendInitiatoriifisnotemptyInitiatedByapptostringdisplayNameuserPrincipalNameInitiatorIdservicePrincipalIdidIPAddressbag_keysprojectTimeGeneratedResultAdditionalDetailsTargetResourcesLoggedByServiceCorrelationId.