KQL Search

let SensitiveMsGraphPermissions = externaldata(EAMTierLevelName: string, Category: string, AppRoleDisplayName: string)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_AppRoles.json"] with(format='multijson') | where EAMTierLevelName == "ControlPlane" | project AppRoleDisplayName;
let SignInsWithDelegatedScope = union SigninLogs, AADNonInteractiveUserSignInLogs
| where ResourceDisplayName == "Microsoft Graph"
| extend JsonAuthProcDetails = parse_json(AuthenticationProcessingDetails)
| extend JsonAuthCaeDetails = parse_json(AuthenticationProcessingDetails)
| mv-apply JsonAuthProcDetails on (
    where JsonAuthProcDetails.key startswith "Oauth Scope Info"
    | project OAuthDelegatedScope=JsonAuthProcDetails.value
)
| mv-apply JsonAuthCaeDetails on (
    where JsonAuthCaeDetails.key startswith "Is CAE Token"
    | project IsCaeToken=JsonAuthCaeDetails.value
)  
| extend DeviceDetail = iff(isempty( DeviceDetail_dynamic ), todynamic(DeviceDetail_string), DeviceDetail_dynamic)    
| extend DeviceName = tostring(toupper(DeviceDetail.displayName))
| extend DeviceOS = tostring(parse_json(DeviceDetail).operatingSystem)
| extend DeviceTrust = tostring(parse_json(DeviceDetail).trustType)
| extend DeviceCompliance = tostring(parse_json(DeviceDetail).isCompliant)
| extend AuthenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod) 
| extend AuthenticationDetail = tostring(parse_json(AuthenticationDetails)[0].authenticationStepResultDetail)
| project TimeGenerated, CorrelationId, UserPrincipalName, RiskLevelDuringSignIn, RiskState, AppDisplayName, ResourceDisplayName, OAuthDelegatedScope, AuthenticationMethod, AuthenticationDetail, DeviceName, DeviceOS, DeviceTrust, DeviceCompliance, IsCaeToken;
SignInsWithDelegatedScope