Query Details

New or Rogue OAuth Application First Seen in Tenant

20 New Rogue O Auth Application

Query

let KnownApps =
    AADNonInteractiveUserSignInLogs
    | where TimeGenerated between (ago(14d) .. ago(7d))
    | summarize by AppId;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| join kind=leftanti KnownApps on AppId
| summarize
    FirstSeen = min(TimeGenerated),
    UserCount = dcount(UserPrincipalName),
    Users     = make_set(UserPrincipalName, 10),
    IPs       = make_set(IPAddress),
    Countries = make_set(Location)
  by AppDisplayName, AppId
| extend IPAddress = tostring(IPs[0])
| order by FirstSeen desc

Explanation

This query is designed to detect new or potentially rogue OAuth applications that have appeared in your Azure Active Directory tenant within the last 7 days. It specifically looks for applications that have not shown any activity in the previous 30 days. The sudden appearance of these applications generating non-interactive sign-ins could indicate unauthorized app consent, rogue app registration, or a compromise in a third-party supply chain that grants persistent access to your tenant.

Here's a simplified breakdown of the query:

  1. Known Applications: It first identifies applications that were active between 14 and 7 days ago, creating a list of known applications.

  2. New Applications: It then checks for applications that have started generating non-interactive sign-ins in the last 7 days and were not in the list of known applications.

  3. Data Collection: For these new applications, it collects details such as the first time they were seen, the number of users affected, and the IP addresses and countries from which the sign-ins originated.

  4. Alert Generation: If any such new applications are detected, an alert is generated with details like the application name, ID, and the number of affected users. The alert suggests verifying whether the application's authorization is legitimate.

  5. Incident Management: If an alert is triggered, it can create an incident, and there's a configuration to group related alerts into a single incident based on the application.

The query is scheduled to run every 24 hours and looks back over a 14-day period. It is designed to help identify potential security threats related to unauthorized access via OAuth applications, aligning with tactics like Persistence, Credential Access, and Initial Access as per the MITRE ATT&CK framework.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

OAuthApplicationsTenantSignInsAppConsentRegistrationAccessTokenRelationshipAzureActiveDirectoryUserSignInLogsAppIdAppDisplayNameUserPrincipalNameIPAddressLocationCloudApplicationIPAddress

Operators

letbetweenagosummarizebywhere>==joinkind=leftantionmindcountmake_setextendtostringorder bydesc

Severity

Medium

Tactics

PersistenceCredentialAccessInitialAccess

MITRE Techniques

Frequency: 24h

Period: 14d

Actions

GitHub