-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
KQL Query to detect full_access_as_app consent grants in azure
- Loading branch information
1 parent
5d8acad
commit f7c0a66
Showing
1 changed file
with
24 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
AuditLogs | ||
| where Category =~ "ApplicationManagement" | ||
| where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal") | ||
| where Result =~ "success" | ||
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@" | ||
| extend props = parse_json(tostring(TargetResources[0].modifiedProperties)) | ||
| mv-expand props | ||
| extend UserAgent = tostring(AdditionalDetails[0].value) | ||
| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | ||
| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | ||
| extend DisplayName = tostring(props.displayName) | ||
| extend Permissions = tostring(parse_json(tostring(props.newValue))) | ||
| where Permissions has_any ("full_access_as_app") | ||
| extend PermissionsAddedTo = tostring(TargetResources[0].displayName) | ||
| extend Type = tostring(TargetResources[0].type) | ||
| project-away props | ||
| join kind=leftouter( | ||
AuditLogs | ||
| where ActivityDisplayName has "Consent to application" | ||
| extend AppName = tostring(TargetResources[0].displayName) | ||
| extend AppId = tostring(TargetResources[0].id) | ||
| project AppName, AppId, CorrelationId) on CorrelationId | ||
| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId | ||
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress |