Query Details

Conditional Access Policy Addition

Conditional Access Add Policy

Query

AuditLogs
| where OperationName == "Add conditional access policy"
| extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName
| project TimeGenerated, Actor, DeletedPolicy, TargetResources

About this query

Conditional Access Policy Addition

Query Information

Description

This KQL query lists all conditional access policies that have been added.

References

Sentinel

Explanation

This KQL query is designed to identify and list all instances where a conditional access policy has been added in an Azure environment. Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from the AuditLogs, which contains records of various operations performed within Azure.

  2. Filter: The query specifically looks for log entries where the operation performed is "Add conditional access policy". This means it focuses only on events related to the creation of new conditional access policies.

  3. Extract Information:

    • It extracts the name of the policy that was added (DeletedPolicy) from the first item in the TargetResources array.
    • It also retrieves the user principal name of the person who initiated the addition of the policy (Actor).
  4. Output: The query then projects (or selects) a few key pieces of information to display:

    • TimeGenerated: The timestamp of when the policy was added.
    • Actor: The user who added the policy.
    • DeletedPolicy: The name of the policy that was added.
    • TargetResources: The resources targeted by the policy.

In summary, this query helps administrators track when new conditional access policies are added, who added them, and what those policies are targeting.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 17, 2023

Tables

AuditLogs

Keywords

AuditLogsConditionalAccessPolicyActorUserTargetResources

Operators

whereextendproject

Actions

GitHub