We wanted to know which actions where done by a human and not a service principal when looking at Azure Activities in Log Analytics queries. We thought of a nice quick way to do it!
Email vs GUID
Our assumption is that all humans that trigger something in Azure will have an email instead of a guid for service principals in the
My first thought was to do something with regex validation to check if it's a guid format or not.
I started to look at the documentation for
matches regex and said to myself that they're might be already something to convert a string to a guid scalar. There is something! it's called
toguid(). In the documentation,
toguid() will return a guid if the value is really in the proper format, otherwise
We now just have to check if the value does not convert properly, remember, only service principals have a guid as value, otherwise it's an email.
We can combine functions together and write
| where isnull(toguid(Caller)) to perform this check.
The query will look something like this:
AzureActivity | where Category has "Administrative" | where OperationName has "Firewall Rule" | where ActivityStatus has "Succeeded" | where isnull(toguid(Caller)) | project OperationName, OperationNameValue, Caller, _ResourceId, TimeGenerated
Hope it helps!
Happy Kusto log query!