← Back to Explore
kqlHunting
Audit Logic Apps with Office365 Connections using Resource Query
Credit: santisq
Detection Query
//Credit: santisq
resources
| where ['type'] == 'microsoft.logic/workflows'
| extend connections = properties['parameters']['$connections']['value']
| mv-expand key = bag_keys(connections)
| where key startswith 'office365'
| extend connectionId = tostring(connections[tostring(key)]['connectionId'])
| join kind=inner (
resources
| where ['type'] == 'microsoft.web/connections'
//and properties['authenticatedUser']['name'] =~ 'mySMBemail@company.com' //if you want to drill down on who authorized the connection
| project
connectionId = id,
connectionName = name,
connectionProperties = properties,
connectionResourceGroup = resourceGroup
) on connectionId
| project-away connectionId1
//Consider using Managed Identities with exchange RBAC instead https://janbakker.tech/a-love-story-about-role-based-access-control-for-applications-in-exchange-online-managed-identities-entra-id-admin-units-and-graph-api/Tags
azure
Raw Content
//Credit: santisq
resources
| where ['type'] == 'microsoft.logic/workflows'
| extend connections = properties['parameters']['$connections']['value']
| mv-expand key = bag_keys(connections)
| where key startswith 'office365'
| extend connectionId = tostring(connections[tostring(key)]['connectionId'])
| join kind=inner (
resources
| where ['type'] == 'microsoft.web/connections'
//and properties['authenticatedUser']['name'] =~ 'mySMBemail@company.com' //if you want to drill down on who authorized the connection
| project
connectionId = id,
connectionName = name,
connectionProperties = properties,
connectionResourceGroup = resourceGroup
) on connectionId
| project-away connectionId1
//Consider using Managed Identities with exchange RBAC instead https://janbakker.tech/a-love-story-about-role-based-access-control-for-applications-in-exchange-online-managed-identities-entra-id-admin-units-and-graph-api/