KQL Search

Query Details

HomeAI ToolsDevice Query

New Tenant Allow Block List TABL Entry

Query

CloudAppEvents 
| where ActionType == "New-TenantAllowBlockListItems"
| extend Notes = extract(@'"Notes","Value":"(.*?)"', 1, tostring(ActivityObjects))
| extend Url = replace_string(extract(@'Name":"Entries","Value":"(.*?)"', 1, tostring(ActivityObjects)), ".", "[.]")
| extend Expiration = replace_string(extract(@'"Name":"ExpirationDate","Value":"(.*?)"', 1, tostring(ActivityObjects)), ".", "[.]")
//| project-reorder Notes, Url, Expiration
//| project TimeGenerated, ObjectName, Notes, Url, Expiration, IPAddress

Explanation

This KQL (Kusto Query Language) query is designed to analyze events related to the addition of new items to the Tenant Allow/Block List in a cloud application. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the CloudAppEvents table, which contains logs of various actions performed in the cloud application.

  2. Filter: It filters the data to only include events where the ActionType is "New-TenantAllowBlockListItems". This means the query is specifically interested in events where new items are added to the allow/block list.

  3. Extract Notes: It extracts the "Notes" field from the ActivityObjects column using a regular expression. This field likely contains additional information or comments about the action.

  4. Extract and Format URL: It extracts the "Entries" field, which presumably contains URLs, from the ActivityObjects column. It then replaces periods (.) in the URLs with "[.]" to prevent them from being clickable or interpreted as actual URLs.

  5. Extract and Format Expiration Date: It extracts the "ExpirationDate" field from the ActivityObjects column and formats it similarly by replacing periods with "[.]" to maintain consistency in the display format.

  6. Commented Out Projections: The last two lines are commented out, indicating that they are not currently active in the query. If uncommented, they would reorder and select specific columns to display, such as Notes, Url, Expiration, along with other fields like TimeGenerated, ObjectName, and IPAddress.

In summary, this query is used to extract and format specific details about new entries added to a tenant's allow/block list, focusing on notes, URLs, and expiration dates, while ensuring URLs are not directly clickable.

Details

Jay Kerai profile picture

Jay Kerai

Released: April 23, 2026

Tables

CloudAppEvents

Keywords

CloudAppEventsActionTypeActivityObjectsNotesUrlExpirationTimeGeneratedObjectNameIPAddress

Operators

CloudAppEvents|where=="New-TenantAllowBlockListItems"|extend=extract@1tostring|extend=replace_stringextract@1tostring".""[.]"|extend=replace_stringextract@1tostring".""[.]"

Actions