-
Notifications
You must be signed in to change notification settings - Fork 321
/
Audit-NamedLocationsChanged.kql
31 lines (29 loc) · 1.51 KB
/
Audit-NamedLocationsChanged.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
//Detect when Azure AD Named Locations are changed (either IP or Country) and retrieve the current list
//Data connector required for this query - Azure Active Directory - Audit Logs
let updatedip=
AuditLogs
| where OperationName == "Update named location"
| mv-expand TargetResources
| extend modifiedProperties = parse_json(TargetResources).modifiedProperties
| mv-expand modifiedProperties
| extend newValue = tostring(parse_json(modifiedProperties).newValue)
| mv-expand todynamic(newValue)
| extend ipRanges = tostring(parse_json(newValue).ipRanges)
| mv-expand todynamic(ipRanges)
| extend cidr = tostring(ipRanges.cidrAddress)
| where isnotempty(cidr)
| extend ['Named Location name'] = tostring(TargetResources.displayName)
| summarize ['IP List']=make_list(cidr) by ['Named Location name'];
let updatedcountries=
AuditLogs
| where OperationName == "Update named location"
| mv-expand TargetResources
| extend modifiedProperties = parse_json(TargetResources).modifiedProperties
| mv-expand modifiedProperties
| extend newValue = tostring(parse_json(modifiedProperties).newValue)
| extend countriesAndRegions = tostring(parse_json(newValue).countriesAndRegions)
| mv-expand todynamic(countriesAndRegions)
| where isnotempty(countriesAndRegions)
| extend ['Named Location name'] = tostring(TargetResources.displayName)
| summarize ['Country List']=make_list(countriesAndRegions) by ['Named Location name'];
union updatedip, updatedcountries