Introduction
Kusto Query Language (KQL) is a versatile tool for exploring data, uncovering patterns, identifying anomalies and outliers, performing statistical analysis, and much more. In this blog, we will see how to retrieve the newly created Microsoft Entra ID application within a 7-day window.
Kusto Query
A Kusto query is a read-only request to process data and provide results. It is written in plain text and follows a simple data-flow model to read, write, and automate. Kusto queries consist of one or more query statements.
The below Kusto query will fetch all newly created Entra ID applications within a 7-day window.
AuditLogs
| where Category == "ApplicationManagement"
| where ActivityDisplayName == "Add application"
| where TimeGenerated >= ago(7d)
| extend userParse = parse_json(InitiatedBy)
| extend TargetResources = parse_json(TargetResources)
| extend ApplicationName = tostring(TargetResources[0].displayName)
| extend CreatedBy = tostring(userParse.user.userPrincipalName)
| extend servicePrincipalId = userParse.app.servicePrincipalId
| project
TimeGenerated,
InitiatedBy,
ActivityDisplayName,
CreatedBy,
Category,
servicePrincipalId,
ApplicationName
The main parameters, CreatedBy and the Application Name, are transformed from the IntiatedBy and TargetResources fields, respectively.
Note. Make sure to add a diagnostic setting for the Microsoft Entra ID Audit log.
Summary
We have seen how you can easily retrieve the Microsoft Entra ID application creation information using Kusto Queries, where you can extend this functionality to add an alert using Azure monitor.