We wanted to know which actions where done by a human and not a service principal when looking at Azure Activities in Log Analytics queries. We thought of a nice quick way to do it!
Email vs GUID
Our assumption is that all humans that trigger something in Azure will have an email instead of a guid for service principals in the Caller
field.
My first thought was to do something with regex validation to check if it's a guid format or not.
I started to look at the documentation for matches regex
and said to myself that they're might be already something to convert a string to a guid scalar. There is something! it's called toguid()
. In the documentation, toguid()
will return a guid if the value is really in the proper format, otherwise null
. Bingo!
We now just have to check if the value does not convert properly, remember, only service principals have a guid as value, otherwise it's an email.
We can combine functions together and write | where isnull(toguid(Caller))
to perform this check.
The query will look something like this:
AzureActivity
| where Category has "Administrative"
| where OperationName has "Firewall Rule"
| where ActivityStatus has "Succeeded"
| where isnull(toguid(Caller))
| project OperationName, OperationNameValue, Caller, _ResourceId, TimeGenerated
Hope it helps!
Happy Kusto log query!