Query Details
Request An Actor Token For Graphwindowsnet Using Service To Service S2S
Query
AuditLogs | where not(OperationName has "group") | where not(OperationName == "Set directory feature on tenant") | where InitiatedBy has_all ( "Office 365 Exchange Online","user") | where InitiatedBy.user.displayName == "Office 365 Exchange Online" //Ref: https://i.blackhat.com/BH-USA-25/Presentations/US-25-Mollema-Advanced-AD-to-Entra-ID-lateral-movement-techniques-Wednesday.pdf
Explanation
This KQL (Kusto Query Language) query is filtering data from the AuditLogs table to focus on specific audit log entries. Here's a breakdown of what the query does in simple terms:
-
Exclude Certain Operations: It filters out any log entries where the
OperationNamecontains the word "group" or is exactly "Set directory feature on tenant". This means it is ignoring these specific operations. -
Filter by Initiator: It looks for log entries where the
InitiatedByfield includes both "Office 365 Exchange Online" and "user". This means it is specifically interested in actions initiated by Office 365 Exchange Online users. -
Specific User Display Name: It further narrows down the results to only include entries where the
InitiatedBy.user.displayNameis exactly "Office 365 Exchange Online". This ensures that only actions performed by this specific user are included.
Overall, the query is designed to extract audit log entries related to actions initiated by the "Office 365 Exchange Online" user, excluding certain operations related to groups and directory features.
Details
Jay Kerai
Released: August 14, 2025
Tables
Keywords
Operators