KQL Search

This KQL (Kusto Query Language) query is designed to analyze identity directory events where the "SID-History" has changed. Here's a simple breakdown of what the query does:

1. Data Source: It starts by looking at the IdentityDirectoryEvents table.

2. Filter: It filters the events to only include those where the ActionType is "SID-History changed". This means it's focusing on events where the Security Identifier (SID) history of an account has been altered.

3. Extract Fields: It extracts specific details from the AdditionalFields column:

   • FromSidHistory: The original SID history before the change.
   • ToSidHistory: The new SID history after the change.
   • TargetAccountSid: The SID of the account whose SID history was changed.
   • TargetObjectGroup: The group associated with the target object.
   • TargetObjectGroupSid: The SID of the group associated with the target object.

4. Reorder Columns: It rearranges the columns in the output to a specified order, making it easier to read and analyze. The columns are ordered as follows:

   • TimeGenerated: When the event was generated.
   • Application: The application related to the event.
   • ActionType: The type of action, which in this case is "SID-History changed".
   • FromSidHistory, ToSidHistory, TargetAccountUpn, TargetAccountDisplayName, TargetAccountSid, TargetObjectGroup, TargetObjectGroupSid: The extracted and relevant details about the SID history change.
   • AdditionalFields: Any other additional information.
   • ReportId: The identifier for the report.

Overall, this query is used to track and analyze changes in SID history within an identity directory, providing insights into how account identifiers are being modified.