We wanted to know which actions where done by a human and not a service principal when looking at Azure Activities in Log Analytics queries. We thought of a nice quick way to do it!

Email vs GUID

Our assumption is that all humans that trigger something in Azure will have an email instead of a guid for service principals in the Caller field.

My first thought was to do something with regex validation to check if it's a guid format or not.

I started to look at the documentation for matches regex and said to myself that they're might be already something to convert a string to a guid scalar. There is something! it's called toguid(). In the documentation, toguid() will return a guid if the value is really in the proper format, otherwise null. Bingo!

We now just have to check if the value does not convert properly, remember, only service principals have a guid as value, otherwise it's an email.

We can combine functions together and write | where isnull(toguid(Caller)) to perform this check.

The query will look something like this:

AzureActivity
| where Category has "Administrative"
| where OperationName has "Firewall Rule"
| where ActivityStatus has "Succeeded"
| where isnull(toguid(Caller))
| project OperationName, OperationNameValue, Caller, _ResourceId, TimeGenerated

Hope it helps!

Happy Kusto log query!