KQL Search

This KQL (Kusto Query Language) query is designed to filter and analyze audit logs related to application consent actions. Here's a simplified breakdown of what the query does:

1. Data Source: It starts by looking at the AuditLogs table, which contains records of various operations performed within a system.

2. Filter by Operation: It filters the logs to only include entries where the operation performed is "Consent to application." This means it focuses on actions where a user or admin has given permission for an application to access certain resources.

3. Extract and Filter by Property: The query then digs into the details of these consent actions by examining the modifiedProperties of the target resources. Specifically, it looks at the sixth property (index 5) and checks if its displayName is "ConsentAction.Reason."

4. Check for Risky Applications: It further filters these entries to find cases where the newValue of this property contains the phrase "Risky application detected." This suggests that the consent action was flagged due to the application being considered risky.

5. Context Note: The comment in the query provides additional context, indicating that this is part of a risk-based step-up flow to an admin flow. It notes that such logs will be recorded even if the permissions requested by the application are already eligible for admin consent.

Overall, this query is used to identify and analyze instances where consent was given to applications that were flagged as risky, providing insights into potential security concerns or policy violations.