KQL Search

This query is searching through audit logs to find specific events related to a service principal (a type of security identity used by applications or services to access specific resources). Here's a breakdown of what the query does:

1. AuditLogs: This is the dataset being queried, which contains logs of various actions and changes.

2. Filter by Identity: The query looks for logs where the Identity is "MAPG". You guessed this might stand for Microsoft Application Governance, which seems reasonable given the context.

3. Filter by Operation: It further narrows down the logs to those where the OperationName is "Update service principal". This means it's looking for events where a service principal was updated.

4. Filter by Category: The query also specifies that the Category should be "ApplicationManagement", focusing on logs related to application management activities.

5. Check Modified Properties: The query examines the modifiedProperties of the TargetResources to find entries where:

   • The newValue of the first modified property is false, and
   • The displayName of this property is "AccountEnabled".

   This indicates that the account (service principal) was disabled.

In summary, this query identifies logs where a service principal associated with Microsoft Application Governance was updated, specifically focusing on instances where the account was disabled. This action likely prevents the application from accessing permissions and stops user sign-ins, affecting both application and delegated permissions.