← Back to Explore
kqlHunting
Creation of new Azure Tenant
Detection Query
AuditLogs
| where Category == "DirectoryManagement"
| where OperationName == "Create Company"
| where Result == "success"
| extend AccountID = parse_json(tostring(InitiatedBy.user)).id
| extend InitiatingIPAddress = parse_json(tostring(InitiatedBy.user)).ipAddress
| extend InitiatingUPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend CreatedTenantID = TargetResources[0].idData Sources
AuditLogs
Platforms
azure-ad
Tags
entra
Raw Content
AuditLogs
| where Category == "DirectoryManagement"
| where OperationName == "Create Company"
| where Result == "success"
| extend AccountID = parse_json(tostring(InitiatedBy.user)).id
| extend InitiatingIPAddress = parse_json(tostring(InitiatedBy.user)).ipAddress
| extend InitiatingUPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend CreatedTenantID = TargetResources[0].id