KQL Search

This KQL (Kusto Query Language) query is designed to search through audit logs to find specific events where a user has elevated their access to the "User Access Administrator" role for Azure resources. Here's a simple breakdown of what the query does:

1. AuditLogs: This is the dataset being queried, which contains records of various operations and activities.

2. | where OperationName == "User has elevated their access to User Access Administrator for their Azure Resources": This line filters the logs to only include entries where the operation name matches the specified string, indicating that a user has elevated their access privileges.

3. | extend User = tostring(InitiatedBy.user.userPrincipalName): This line adds a new column called "User" to the results, which contains the user principal name (essentially the username or email) of the person who initiated the access elevation. The tostring() function ensures that this information is formatted as text.

4. | extend IP = tostring(InitiatedBy.user.ipAddress): Similarly, this line adds another column called "IP" to the results, which contains the IP address from which the access elevation was initiated. Again, tostring() is used to format this as text.

In summary, the query retrieves and displays the username and IP address of users who have elevated their access to the "User Access Administrator" role in Azure, filtering these specific events from the audit logs.