Query Details
O Auth Detecting First Time Credential Addition
Query
//Detects users who have added a credential to an Azure AD App for the first time in 90 days, adjust timeframe as needed.
//Data connector required for this query - Azure Active Directory - Audit Logs
let timeframe = startofday(ago(90d));
AuditLogs
| where TimeGenerated > timeframe and TimeGenerated < startofday(now())
| where OperationName has "Update application – Certificates and secrets management"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project Actor
| join kind=rightanti
(
AuditLogs
| where TimeGenerated > startofday(now())
| where OperationName has "Update application – Certificates and secrets management"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend AppId = tostring(AdditionalDetails[1].value)
| project TimeGenerated, Actor, AppId
)
on Actor
| project TimeGenerated, Actor, AppIdExplanation
This query detects users who have added a credential to an Azure AD App for the first time in the past 90 days. It uses the Azure Active Directory - Audit Logs data connector. The query filters the audit logs based on the operation name related to updating application certificates and secrets management. It then retrieves the user who initiated the operation and joins it with a second set of audit logs to get the time, user, and app ID. The final result includes the time, user, and app ID of the users who added credentials to the app.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Users,AzureADApp,Credential,AuditLogs,TimeGenerated,OperationName,InitiatedBy.user,userPrincipalName,AdditionalDetails,AppId
Operators
lettimeframestartofdayagoAuditLogswhereTimeGenerated><has"Update application – Certificates and secrets management"extendActortostringparse_jsonuserPrincipalNameprojectjoinkind=rightantionAppId