Identity Admin Updating Security Info
Query
//Detects when an admin changes the authentication phone details for another user
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where OperationName == "Admin updated security info"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend Target = tostring(TargetResources[0].userPrincipalName)
| extend ['New Phone Number'] = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[2].newValue)))
| extend ['Old Phone Number'] = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[2].oldValue)))
| project TimeGenerated, Actor, Target, ['New Phone Number'], ['Old Phone Number']Explanation
This query detects when an admin changes the authentication phone details for another user. It uses the Azure Active Directory - Audit Logs data connector. The query retrieves the time the event occurred, the admin who made the change, the user whose phone details were changed, the new phone number, and the old phone number.
Details

Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AdminAuthenticationPhoneDetailsUserData ConnectorAzure Active DirectoryAudit LogsOperationNameActorTargetNew Phone NumberOld Phone NumberTimeGenerated
Operators
| where==extendtostringparse_jsonTargetResources[0]userPrincipalNamemodifiedPropertiesnewValueoldValueproject