KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Logs Entra ID B2C Settings Modified

Query

AuditLogs
| where LoggedByService == "B2C" and OperationName has_any ("B2C", "CIAM", "Guest Usages") and OperationName has_any ("Create", "Update", "Delete")
| extend
    Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
    InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
    IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| project
    TimeGenerated,
    LoggedByService,
    Category,
    AADOperationType,
    Initiator,
    IPAddress,
    OperationName,
    Result,
    ResultDescription,
    AdditionalDetails,
    InitiatorId,
    InitiatedBy,
    TargetResources,
    CorrelationId

Explanation

This KQL (Kusto Query Language) query is designed to filter and display specific audit log entries related to operations performed by the B2C service. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the AuditLogs table.

  2. Filtering Criteria:

    • It selects logs where the LoggedByService is "B2C".
    • It further filters these logs to include only those operations whose OperationName contains any of the terms "B2C", "CIAM", or "Guest Usages".
    • Additionally, it ensures that the OperationName also includes any of the actions "Create", "Update", or "Delete".

  3. Data Transformation:

    • It extracts and creates new fields:
      • Initiator: Determines who initiated the operation, either an app's display name or a user's principal name.
      • InitiatorId: Retrieves the ID of the initiator, either a service principal ID for apps or a user ID.
      • IPAddress: Extracts the IP address from which the operation was initiated.

  4. Data Projection:

    • It selects and displays a set of columns from the filtered and transformed data:
      • TimeGenerated: The timestamp of when the log entry was created.
      • LoggedByService: The service that logged the entry.
      • Category, AADOperationType: Additional classification details of the operation.
      • Initiator, IPAddress: The initiator's name and IP address.
      • OperationName: The name of the operation performed.
      • Result, ResultDescription: The outcome of the operation and a description of the result.
      • AdditionalDetails: Any extra information related to the operation.
      • InitiatorId, InitiatedBy: IDs and details of the initiator.
      • TargetResources: The resources targeted by the operation.
      • CorrelationId: A unique identifier for correlating related log entries.

In summary, this query is used to extract and display detailed information about specific B2C-related operations (create, update, delete) from audit logs, including who initiated them and from where.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 23, 2025

Tables

AuditLogs

Keywords

AuditLogsB2CCIAMGuestUsagesCreateUpdateDeleteInitiatorInitiatorIdIPAddressTimeGeneratedLoggedByServiceCategoryAADOperationTypeOperationNameResultResultDescriptionAdditionalDetailsTargetResourcesCorrelationId

Operators

wherehas_anyextendiifisnotemptytostringbag_keysproject

Actions