The idea of this check is, that we don't always know, in which attribute the AppId is stored in Azure Resource Manager logs. Thus this query will search in all attributes in the event entity for existence of AppID.
For example:
Value for AppId in Key Vault logs is identity_claim_appid_g
, whereas in ActivityLogs it is claims.appId
or in SQL logs it is session_server_principal_name_s
- This query does not care in which attribute the appId is stored, thus making it easier to search across mass.
You need to have all logs (highlighted below) in relevant categories enabled in order to use this query:
- Creates a list of AppId's from AADServicePrincipalSignInLogs and AADManagedIdentitySignInLogs logs
- Searches with mv-apply from AzureDiagnostic and AzureActivity "mass" using pack_all()