Skip to content

Fix modifiedProperties displayName in OAuthConsentToHighRiskPermissionScope#14334

Merged
v-atulyadav merged 2 commits into
Azure:masterfrom
descambiado:fix-oauth-consent-scope-property-name
May 27, 2026
Merged

Fix modifiedProperties displayName in OAuthConsentToHighRiskPermissionScope#14334
v-atulyadav merged 2 commits into
Azure:masterfrom
descambiado:fix-oauth-consent-scope-property-name

Conversation

@descambiado
Copy link
Copy Markdown
Contributor

@descambiado descambiado commented May 23, 2026

Summary

OAuthConsentToHighRiskPermissionScope.yaml (merged in #14276) has a one-line bug that causes the query to return zero results:

-- before
| where tostring(ModProp.displayName) =~ "ConsentContext.Permissions"

-- after
| where tostring(ModProp.displayName) =~ "ConsentAction.Permissions"

ConsentContext.Permissions is not a valid displayName value in TargetResources[0].modifiedProperties for Entra ID consent audit events. The correct value is ConsentAction.Permissions.

Evidence from the same repo:

  • OAuthConsentToHighRiskPermission.yaml line 62: | where PropertyName =~ "ConsentAction.Permissions"
  • ConsentToApplicationDiscovery.yaml: extend perms = tostring(parse_json(tostring(PropertyUpdate.["ConsentAction.Permissions"]))[0])

Files changed

  • Hunting Queries/MultipleDataSources/OAuthConsentToHighRiskPermissionScope.yaml — 1 line changed

@descambiado
Fix modifiedProperties displayName in OAuthConsentToHighRiskPermissio…
d0ce473 
…nScope

ConsentContext.Permissions is not a valid displayName in Azure AuditLogs
modifiedProperties for consent events. The correct value is
ConsentAction.Permissions, consistent with OAuthConsentToHighRiskPermission.yaml
(line 62) and ConsentToApplicationDiscovery.yaml in the same repo.
The previous value caused the query to return zero results.
@descambiado descambiado requested review from a team as code owners May 23, 2026 12:56
@v-maheshbh v-maheshbh added the Hunting Hunting specialty review needed label May 25, 2026
@v-atulyadav v-atulyadav requested a review from Copilot May 26, 2026 08:00
Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Fixes a broken filter in the Entra ID consent audit hunting query so it correctly matches the modifiedProperties.displayName value and returns expected results.

Changes:

  • Update TargetResources[0].modifiedProperties.displayName filter from ConsentContext.Permissions to ConsentAction.Permissions

@v-atulyadav
Copy link
Copy Markdown
Collaborator

v-atulyadav commented May 26, 2026

Hi @descambiado,
Please pull the latest changes from the master branch and push again to rerun the stuck validation. Thanks

@descambiado
Copy link
Copy Markdown
Contributor Author

descambiado commented May 27, 2026

Pushed a merge of latest master to rerun the validation. No Copilot inline comments were open on this one, so nothing else to change here.

@v-atulyadav v-atulyadav merged commit b1daa23 into Azure:master May 27, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@v-atulyadav v-atulyadav v-atulyadav approved these changes

Assignees

@v-atulyadav v-atulyadav

Labels

Hunting Hunting specialty review needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@descambiado @v-atulyadav @v-maheshbh