KQL Search

This KQL (Kusto Query Language) query is designed to analyze audit logs, specifically looking for operations related to updating a service principal. Here's a simple breakdown of what the query does:

1. Data Source: The query starts by examining the AuditLogs table, which contains logs of various operations performed within a system.

2. Filter: It filters the logs to only include entries where the OperationName is "Update service principal." This means it is specifically interested in changes made to service principals.

3. Extract Information:

   • It extracts the AppName, which is the display name of the target resource (service principal) being updated. This is done by converting the first element of the TargetResources array to a string and accessing its displayName property.
   • It also extracts the Enabled status of the service principal. This involves parsing the JSON structure within the modifiedProperties field to find the newValue of the first modified property, and then converting it to a string.

In summary, this query is used to identify and extract details about updates made to service principals, including their names and enabled statuses, from audit logs. This can be useful for monitoring and investigating changes to service principals, which are critical components in managing application identities and permissions in cloud environments.