Cette requ\u00eate permet de :<\/p>\n\n\n\n
let EntraConnectAppIdentities = OAuthAppInfo\n| where parse_json(Permissions) has 'ADSynchronization.ReadWrite.All'\n| summarize by AppName;\n AuditLogs\n | where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\", \"Update application\")\n | where Result =~ \"success\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\" or TargetResource.type =~ \"ServicePrincipal\"\n | extend\n TargetName = tostring(TargetResource.displayName),\n TargetObjectType = tostring(TargetResource.type), \n ResourceId = tostring(TargetResource.id),\n AddedKeyEvent = TargetResource.modifiedProperties\n )\n| where TargetName in~ (EntraConnectAppIdentities)\n| extend InitiatingBy = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingUserOrAppId = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.id), tostring(InitiatedBy.app.servicePrincipalId))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n | mv-apply Property = AddedKeyEvent on \n (\n where Property.displayName =~ \"KeyDescription\" or Property.displayName =~ \"FederatedIdentityCredentials\"\n | extend\n OldValue = parse_json(tostring(Property.newValue)),\n NewValue = parse_json(tostring(Property.oldValue))\n )\n | extend diff = set_difference(NewValue, OldValue)\n | parse diff with * \"KeyIdentifier=\" keyIdentifier: string \",KeyType=\" keyType: string \",KeyUsage=\" keyUsage: string \",DisplayName=\" keyDisplayName: string \"]\" *\n| project ActivityDateTime, ActivityDisplayName, CorrelationId, Result, TargetName, TargetObjectType, InitiatingBy, InitiatingIpAddress, AddedKeyEvent, AddedKeyId = keyIdentifier, OldValue, NewValue<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Cette requ\u00eate permet de :<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[18],"class_list":["post-316","post","type-post","status-publish","format-standard","hentry","category-kql-sentinel","tag-kql"],"_links":{"self":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/316","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=316"}],"version-history":[{"count":1,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/316\/revisions"}],"predecessor-version":[{"id":317,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/316\/revisions\/317"}],"wp:attachment":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}