KQL Search

This KQL query is designed to filter audit logs for specific events related to application consent. Here's a simplified explanation:

1. AuditLogs: The query starts by looking at the audit logs, which record various actions and events.

2. Filter by Operation: It specifically looks for logs where the operation performed is "Consent to application," meaning someone has given permission for an application to access certain resources.

3. Inspect Modified Properties: The query examines the details of the consent action by parsing the JSON data in the modifiedProperties field of the first target resource. It focuses on the sixth property (index 5) which has the display name "ConsentAction.Reason."

4. Check for Risky Applications: It further filters these logs to find cases where the new value of this property contains the phrase "Risky application detected." This indicates that the consent was given under circumstances where the application was flagged as potentially risky.

5. Contextual Note: The comments in the query provide additional context. They mention that this is part of a risk-based step-up flow to an admin flow, which logs events even if the permissions requested are already suitable for admin consent. Links to documentation and a video are provided for further understanding.

Overall, this query is used to identify and analyze instances where consent was granted to applications that were flagged as risky, providing insights into potential security concerns.