TITLE
Azure AD Enterprise Apps Disabled
Query
AuditLogs
| where OperationName == "Update service principal"
| extend AppName = tostring(TargetResources[0].displayName)
| extend Enabled = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0])About this query
TITLE
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1110.003 | Credential Access: Brute Force: Password Spraying | https://attack.mitre.org/techniques/T1110/003/ |
Description
DESCRIPTION
References
Microsoft 365 Defender
Explanation
This KQL (Kusto Query Language) query is designed to analyze audit logs, specifically looking for operations related to updating a service principal. Here's a simple breakdown of what the query does:
-
Data Source: The query starts by examining the
AuditLogstable, which contains logs of various operations performed within a system. -
Filter: It filters the logs to only include entries where the
OperationNameis "Update service principal." This means it is specifically interested in changes made to service principals. -
Extract Information:
- It extracts the
AppName, which is the display name of the target resource (service principal) being updated. This is done by converting the first element of theTargetResourcesarray to a string and accessing itsdisplayNameproperty. - It also extracts the
Enabledstatus of the service principal. This involves parsing the JSON structure within themodifiedPropertiesfield to find thenewValueof the first modified property, and then converting it to a string.
- It extracts the
In summary, this query is used to identify and extract details about updates made to service principals, including their names and enabled statuses, from audit logs. This can be useful for monitoring and investigating changes to service principals, which are critical components in managing application identities and permissions in cloud environments.
