Query Details
Creation Of New Azure Tenant
Query
AuditLogs | where Category == "DirectoryManagement" | where OperationName == "Create Company" | where Result == "success" | extend AccountID = parse_json(tostring(InitiatedBy.user)).id | extend InitiatingIPAddress = parse_json(tostring(InitiatedBy.user)).ipAddress | extend InitiatingUPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName | extend CreatedTenantID = TargetResources[0].id
Explanation
This KQL (Kusto Query Language) query is designed to filter and extract specific information from audit logs related to directory management activities. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at the
AuditLogstable. -
Filter by Category: It filters the logs to only include those in the "DirectoryManagement" category.
-
Filter by Operation: It further narrows down the logs to those where the operation performed was "Create Company".
-
Filter by Result: It only considers logs where the result of the operation was "success".
-
Extract Information:
- It extracts the
AccountIDfrom theInitiatedBy.userfield, which represents the ID of the user who initiated the operation. - It extracts the
InitiatingIPAddressfrom the same field, representing the IP address of the user who initiated the operation. - It extracts the
InitiatingUPN(User Principal Name) from the same field, representing the user's principal name. - It extracts the
CreatedTenantIDfrom theTargetResourcesarray, which represents the ID of the tenant that was created.
- It extracts the
In summary, this query identifies successful "Create Company" operations in directory management logs and extracts relevant details about the user who initiated the operation and the tenant that was created.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators