Initial commit: KQL ↔ SDL PowerQuery proof of equivalence

2026-06-10 05:57:15 +00:00 · 2026-06-01 09:57:14 +02:00
commit 23cbaa9c08
91 changed files with 5966 additions and 0 deletions
@@ -0,0 +1,8 @@
+AuditLogs
+| where TimeGenerated > ago(1d)
+| where OperationName has_any ("Add service principal","Certificates and secrets management")
+| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
+| join kind=inner (
+    SigninLogs | where ResultType == 0 and TimeGenerated > ago(1d)
+    | project LoginTime = TimeGenerated, Identity, IPAddress, AppDisplayName
+  ) on $left.Actor == $right.Identity