KQL Search

This query is designed for threat hunting using Microsoft Graph data. Here's a simplified explanation of what it does:

1. Data Source Definition: It starts by defining an external data source named GraphPreConsent. This data source is a CSV file hosted on GitHub and contains information about various applications, including their names, client IDs, and permissions related to Microsoft Graph API.

2. Data Fields: The CSV file includes fields such as Name, Client_Id, Enabled, Graph_api_permissions, and several others related to authentication and reply addresses.

3. Data Joining: The query then uses the MicrosoftGraphActivityLogs table, which contains logs of activities related to Microsoft Graph. It performs a join operation between this table and the GraphPreConsent data on the condition that the AppId from the MicrosoftGraphActivityLogs matches the Client_Id from the GraphPreConsent data.

4. Purpose: The main goal of this query is to identify and analyze activities related to specific applications that have pre-consented permissions in Microsoft Graph. This can help in detecting potential security threats or unauthorized access patterns by correlating activity logs with known application permissions.

In essence, this query is part of a threat hunting process that leverages pre-consent data to enhance the analysis of Microsoft Graph activity logs for security monitoring.