KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Logs Entra ID Unusual Operation

Query

AuditLogs
| where case(
    OperationName has_any ("domain"), true,
    LoggedByService == "AAD Management UX" and Category == "Policy", true,
    LoggedByService == "Authentication Methods" and Category == "ApplicationManagement" and not(OperationName in ("PATCH UserAuthMethod.PatchSignInPreferencesAsync", "POST UserAuthMethod.SecurityInfoRegistrationCallback")), true,
    false
    )
| extend
    Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
    InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
    IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| project
    TimeGenerated,
    LoggedByService,
    Category,
    AADOperationType,
    Initiator,
    IPAddress,
    OperationName,
    Result,
    ResultDescription,
    AdditionalDetails,
    InitiatorId,
    InitiatedBy,
    TargetResources,
    CorrelationId

Explanation

This KQL (Kusto Query Language) query is designed to filter and extract specific audit log entries from the AuditLogs table based on certain conditions. Here's a simplified breakdown of what the query does:

  1. Filtering Conditions: The query filters the logs to include only those that meet one of the following criteria:

    • The OperationName contains the word "domain".
    • The log was generated by the "AAD Management UX" service and belongs to the "Policy" category.
    • The log was generated by the "Authentication Methods" service, belongs to the "ApplicationManagement" category, and the OperationName is not one of the specified operations ("PATCH UserAuthMethod.PatchSignInPreferencesAsync" or "POST UserAuthMethod.SecurityInfoRegistrationCallback").

  2. Data Extraction: For each log entry that meets the criteria, the query extracts and extends additional information:

    • Initiator: Determines who initiated the operation, either an application (using the app's display name) or a user (using the user's principal name).
    • InitiatorId: Extracts the ID of the initiator, either the service principal ID for an app or the user ID.
    • IPAddress: Retrieves the IP address associated with the initiator.

  3. Projection: The query then selects and displays a specific set of columns from the filtered logs:

    • TimeGenerated: The timestamp of the log entry.
    • LoggedByService: The service that logged the entry.
    • Category: The category of the log entry.
    • AADOperationType: The type of operation performed.
    • Initiator: The name of the initiator.
    • IPAddress: The IP address of the initiator.
    • OperationName: The name of the operation.
    • Result: The result of the operation.
    • ResultDescription: A description of the result.
    • AdditionalDetails: Any additional details provided in the log.
    • InitiatorId: The ID of the initiator.
    • InitiatedBy: The original initiator details.
    • TargetResources: The resources targeted by the operation.
    • CorrelationId: An ID used to correlate related log entries.

Overall, this query is used to filter and analyze specific audit log entries based on defined conditions and extract relevant information for further investigation or reporting.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 23, 2025

Tables

AuditLogs

Keywords

AuditLogs

Operators

AuditLogswherecasehas_any==andnotinextendiifisnotemptytostringbag_keysproject

Actions