KQL Search

This KQL (Kusto Query Language) query is designed to analyze audit logs to identify instances where a member was removed from a role after a granular admin relationship has ended. Here's a simple breakdown of what the query does:

1. Data Source: It starts by looking at the AuditLogs, which contain records of various operations performed within the system.

2. Filter by Operation: The query filters these logs to find entries where the operation performed is "Remove member from role". This means it is specifically interested in actions where a user or entity was removed from a specific role.

3. Identify the Initiating Application: It extends the data to include the name of the application that initiated the operation, labeled as App.

4. Filter by Specific Application: It further narrows down the results to only include those operations initiated by an application named 'Partner Customer Delegated Admin Offline Processor'. This suggests that the query is focused on role removals initiated by this specific application.

5. Extract Partner ID: Finally, it extends the data to include the PartnerID, which is extracted from the first value in the AdditionalDetails array. This likely represents the identifier of the partner associated with the operation.

In summary, this query is used to track and analyze role removal actions specifically initiated by the 'Partner Customer Delegated Admin Offline Processor' application, and it extracts the partner ID involved in these actions for further analysis or reporting.