Query Details
20 New Rogue O Auth Application
Query
id: b5c1d3e4-f9a0-2b6c-7d8e-9f0a1b2c3d4e
name: New or Rogue OAuth Application First Seen in Tenant
version: 1.0.0
kind: Scheduled
description: |
Detects OAuth applications that appear for the first time in the past 7 days with
no prior activity in the preceding 30 days. New applications suddenly generating
non-interactive sign-ins can indicate illicit app consent, rogue app registration,
or a third-party supply chain compromise granting persistent access to your tenant.
MITRE ATT&CK: T1528 (Steal Application Access Token), T1199 (Trusted Relationship)
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
queryFrequency: 24h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1528
- T1199
- T1078
query: |
let KnownApps =
AADNonInteractiveUserSignInLogs
| where TimeGenerated between (ago(14d) .. ago(7d))
| summarize by AppId;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| join kind=leftanti KnownApps on AppId
| summarize
FirstSeen = min(TimeGenerated),
UserCount = dcount(UserPrincipalName),
Users = make_set(UserPrincipalName, 10),
IPs = make_set(IPAddress),
Countries = make_set(Location)
by AppDisplayName, AppId
| extend IPAddress = tostring(IPs[0])
| order by FirstSeen desc
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: AppId
- identifier: Name
columnName: AppDisplayName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
customDetails:
AppDisplayName: AppDisplayName
AppId: AppId
AffectedUsers: UserCount
Countries: Countries
alertDetailsOverride:
alertDisplayNameFormat: "New OAuth App Detected - '{{AppDisplayName}}' first seen in tenant"
alertDescriptionFormat: "OAuth app '{{AppDisplayName}}' (ID: {{AppId}}) was first seen generating non-interactive sign-ins in the past 7 days. Affected {{UserCount}} users. Verify legitimate authorization."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: P1D
matchingMethod: AnyAlert
groupByEntities:
- CloudApplication
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect new or potentially rogue OAuth applications that have appeared in your Azure Active Directory tenant within the last 7 days. It specifically looks for applications that have not shown any activity in the previous 30 days. The sudden appearance of these applications generating non-interactive sign-ins could indicate unauthorized app consent, rogue app registration, or a compromise in a third-party supply chain that grants persistent access to your tenant.
Here's a simplified breakdown of the query:
-
Known Applications: It first identifies applications that were active between 14 and 7 days ago, creating a list of known applications.
-
New Applications: It then checks for applications that have started generating non-interactive sign-ins in the last 7 days and were not in the list of known applications.
-
Data Collection: For these new applications, it collects details such as the first time they were seen, the number of users affected, and the IP addresses and countries from which the sign-ins originated.
-
Alert Generation: If any such new applications are detected, an alert is generated with details like the application name, ID, and the number of affected users. The alert suggests verifying whether the application's authorization is legitimate.
-
Incident Management: If an alert is triggered, it can create an incident, and there's a configuration to group related alerts into a single incident based on the application.
The query is scheduled to run every 24 hours and looks back over a 14-day period. It is designed to help identify potential security threats related to unauthorized access via OAuth applications, aligning with tactics like Persistence, Credential Access, and Initial Access as per the MITRE ATT&CK framework.
Details
David Alonso
Released: May 29, 2026
Tables
Keywords
Operators