from logs-azure.auditlogs-* metadata _id, _version, _index
| where event.action == "Authentication Methods Policy Update"
| eval Esql.azure_auditlogs_properties_target_resources_modified_properties_new_value_replace = replace(`azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value`, "\\\\", "")
| eval Esql.azure_auditlogs_properties_target_resources_modified_properties_old_value_replace = replace(`azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value`, "\\\\", "")
| dissect Esql.azure_auditlogs_properties_target_resources_modified_properties_new_value_replace "%{}discoveryUrl\":\"%{Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new}\"}%{}"
| dissect Esql.azure_auditlogs_properties_target_resources_modified_properties_old_value_replace "%{}discoveryUrl\":\"%{Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old}\"}%{}"
| where Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new is not null and Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old is not null
| where Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new != Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old
| keep
@timestamp,
event.action,
event.outcome,
azure.tenant_id,
azure.correlation_id,
azure.auditlogs.properties.activity_datetime,
azure.auditlogs.properties.operation_type,
azure.auditlogs.properties.initiated_by.user.userPrincipalName,
azure.auditlogs.properties.initiated_by.user.displayName,
azure.auditlogs.properties.initiated_by.user.ipAddress,
source.geo.city_name,
source.geo.region_name,
source.geo.country_name,
Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new,
Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old
Install detection rules in Elastic Security
Detect OIDC Discovery URL Changed in Entra ID in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).