-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathservice-connections.kql
51 lines (51 loc) · 2.17 KB
/
service-connections.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
DataResource_CL
| where TimeGenerated > ago(7d)
| where ResourceType =~ 'endpoint'
| summarize arg_max(CreatedDate_t, *) by ReferenceName1_s, ReferenceName2_s, ResourceRefId_s
| extend EndpointType=tostring(parse_json(Data_s)["type"])
| extend spnObjectId=tostring(parse_json(Data_s)["data"]["spnObjectId"])
| extend appObjectId=tostring(parse_json(Data_s)["data"]["appObjectId"])
| extend authorizationScheme=tostring(parse_json(Data_s)["authorization"]["scheme"])
| extend creationMode=tostring(parse_json(Data_s)["data"]["creationMode"])
| extend workloadIdentityFederationIssuer=tostring(parse_json(Data_s)["authorization"]["parameters"]["workloadIdentityFederationIssuer"])
| extend workloadIdentityFederationSubject=tostring(parse_json(Data_s)["authorization"]["parameters"]["workloadIdentityFederationSubject"])
| extend revertSchemeDeadline=tostring(parse_json(Data_s)["data"]["revertSchemeDeadline"])
| extend AuthenticationMethod = case(authorizationScheme =~ "WorkloadIdentityFederation", strcat("Workload Identity Federation", " (", creationMode, ")"),
authorizationScheme =~ "ServicePrincipal", strcat("Service Principal", " (", creationMode, ")"),
authorizationScheme =~ "ManagedServiceIdentity", "Managed Identity",
authorizationScheme =~ "PublishProfile", "Publish Profile",
authorizationScheme)
| where EndpointType in ('azurerm','AzureRM')
| project
DateCreated=CreatedDate_t,
ResourceRefName=ResourceRefName_s,
ResourceRefId=ResourceRefId_s,
Organization=ReferenceName1_s,
Project=ReferenceName2_s,
EndpointType,
Name=name_s,
spnObjectId,
appObjectId,
authorizationScheme,
creationMode,
workloadIdentityFederationIssuer,
workloadIdentityFederationSubject,
revertSchemeDeadline,
AuthenticationMethod,
OrganizationId=ReferenceId1_g,
ProjectId=ReferenceId2_g,
EndpointId=id_g,
ResourceType,
DataType_s,
Data_s,
Enterprise_s,
Tenant_s,
ManagementGroup_s,
TimeGenerated
| order by
Enterprise_s asc,
Tenant_s asc,
ManagementGroup_s asc,
Organization asc,
Project asc,
ResourceRefName asc