Forum Discussion
Historical data applications access to potentially sensitive data
Hello everyone. I found https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/ConsentToApplicationDiscovery.yaml for finding occurrences of users granting access to appl...
Are you looking for data here:
AuditLogs
| where Category =="ApplicationManagement"
There are lots of application specific operations
AuditLogs
| where Category =="ApplicationManagement"
| extend displayName_ = tostring(TargetResources[0].displayName)
| where OperationName has "application"
Examples:
| OperationName | |
|---|---|
| Add application | |
| Add owner to application | |
| Update application – Certificates and secrets management | |
| Update application | |
| Consent to application | |
| Delete application |
Yes this is a great way of finding the occurrences of apps being granted permissions, but i am curious how i find information about what potentially malicious apps are doing with this information.
Say i find a user has given permissions to an application named "notavirus.exe". How do i find logs on what this application does with its permissions? For example a malicious application might use illicitly gained permissions to view users emails and such.