Query Details
Who Changed Their AAD Password
Query
AuditLogs | where OperationName contains "self-service" | where Result == "success" | extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | project userPrincipalName_
Explanation
This query is looking at the AuditLogs table and filtering for entries where the OperationName contains "self-service" and the Result is "success". It then extends the userPrincipalName_ field by extracting it from the InitiatedBy.user JSON object and converts it to a string. Finally, it projects the userPrincipalName_ field in the output.
Details
Rod Trent
Released: September 23, 2020
Tables
AuditLogs
Keywords
AuditLogs,OperationName,Result,InitiatedBy,userPrincipalName
Operators
| wherecontains==extendtostringparse_jsonproject