Audit Logs PIM Alert Disabled

AuditLogs | where LoggedByService == "PIM" and OperationName has_all ("disable", "alert") | extend Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])), InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])), IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"]) | project TimeGenerated, Category, Initiator, IPAddress, OperationName, Result, InitiatedBy, AdditionalDetails, TargetResources, LoggedByService, InitiatorId, CorrelationId

Explanation

This query is looking at audit logs where the service logged is "PIM" and the operation name includes both "disable" and "alert". It then creates new fields for the initiator of the operation and their ID, as well as the IP address from which the operation was initiated.

The query then selects and displays the following fields: the time the log was generated, the category of the log, the initiator of the operation, the IP address from which the operation was initiated, the name of the operation, the result of the operation, who initiated the operation, any additional details, the resources targeted by the operation, the service that logged the operation, the ID of the initiator, and the correlation ID.

Details

Jose Sebastián Canós

Released: February 23, 2023

Tables

AuditLogs

Keywords

AuditLogs,PIM,Disable,Alert,Initiator,InitiatorId,IPAddress,TimeGenerated,Category,OperationName,Result,InitiatedBy,AdditionalDetails,TargetResources,LoggedByService,CorrelationId

Operators

AuditLogswhere==has_allextendiifisnotemptytostringprojectTimeGeneratedCategoryInitiatorIPAddressOperationNameResultInitiatedByAdditionalDetailsTargetResourcesLoggedByServiceInitiatorIdCorrelationIdbag_keys.

KQL Search