AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName has "conditional access policy"
| where Result =~ "success"
| extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend CAPolicyName = tostring(TargetResources[0].displayName)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
// | where userPrincipalName !in (Azure)
| extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue
| extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue
| project TimeGenerated, OperationName, CAPolicyName, userPrincipalName, OldPolicyValues, NewPolicyValues
| order by TimeGenerated
No comments:
Post a Comment