Query Details
Usergrantedaccesstoanapp
Query
//Alert - User granted access to an app SecurityAlert | where SystemAlertId == "2032d776-50b6-16ca-dcd1-15d79414e3f4" | summarize arg_max(TimeGenerated, *) by SystemAlertId
Explanation
This query is looking for a specific security alert where a user was granted access to an app. It then summarizes the details of that alert based on the latest time it was generated.
Details
Rod Trent
Released: July 11, 2022
Tables
SecurityAlert
Keywords
Alert,User,App
Operators
wheresummarizearg_maxby