Query Details

New OAuth App Registration with Immediate High-Privilege Consent

AR 001 New App Immediate High Privilege Consent

Query

let ConsentWindow = 10m;
let AppCreations = AuditLogs
| where TimeGenerated > ago(2h)
| where ActivityDisplayName in (
    "Add application",
    "Create application \u2013 Certificates and secrets management ")
| extend AppObjectId  = tostring(TargetResources[0].id)
| extend AppName      = tostring(TargetResources[0].displayName)
| extend CreatorUPN   = tostring(InitiatedBy.user.userPrincipalName)
| extend CreatorApp   = tostring(InitiatedBy.app.displayName)
| extend CreatorActor = iff(isnotempty(CreatorUPN), CreatorUPN, CreatorApp)
| project CreatedAt = TimeGenerated, AppObjectId, AppName, CreatorActor, CreatorUPN;
let ConsentEvents = AuditLogs
| where TimeGenerated > ago(2h)
| where ActivityDisplayName in (
    "Consent to application",
    "Add delegated permission grant",
    "Add app role assignment to service principal")
| extend AppObjectId    = tostring(TargetResources[0].id)
| extend ConsentorUPN   = tostring(InitiatedBy.user.userPrincipalName)
| extend ConsentorApp   = tostring(InitiatedBy.app.displayName)
| extend ConsentorActor = iff(isnotempty(ConsentorUPN), ConsentorUPN, ConsentorApp)
| extend PermDetails    = tostring(AdditionalDetails)
| project ConsentedAt = TimeGenerated, AppObjectId, ConsentorActor, ConsentorUPN, PermDetails;
AppCreations
| join kind=inner ConsentEvents on AppObjectId
| where ConsentedAt > CreatedAt
| where ConsentedAt <= CreatedAt + ConsentWindow
| extend MinutesBetween = datetime_diff('minute', ConsentedAt, CreatedAt)
| project
    TimeGenerated    = ConsentedAt,
    AppName,
    AppObjectId,
    CreatedAt,
    ConsentedAt,
    MinutesBetween,
    CreatorActor,
    CreatorUPN,
    ConsentorActor,
    ConsentorUPN,
    PermDetails

Explanation

This query is designed to detect potentially suspicious activity in an organization's Azure Active Directory (AAD), specifically related to OAuth applications. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify new OAuth applications that are registered and then quickly granted high-privilege access within 10 minutes. This pattern can be indicative of OAuth phishing attacks, where malicious actors use tools to gain unauthorized access.

  2. Data Source: It uses audit logs from Azure Active Directory to track application creation and consent events.

  3. Process:

    • It first looks for new applications that have been created in the last two hours.
    • It then searches for consent events (where permissions are granted to these applications) that occurred within 10 minutes of the application's creation.
    • The query matches these two events based on the application ID.
  4. Output: If such a pattern is detected, the query outputs details including:

    • The time the application was created and consented to.
    • The name and ID of the application.
    • The actors involved in creating the application and granting consent.
    • The time difference between creation and consent.
  5. Severity and Tactics: The query is marked with high severity and is associated with tactics like Persistence and Credential Access, which are common in cyberattacks.

  6. Alert Details: If the query finds a match, it generates an alert with a specific format, highlighting the potential security risk.

  7. Frequency: The query runs every hour and looks back over the past two hours of data.

Overall, this query helps security teams quickly identify and respond to potential OAuth phishing setups by flagging suspiciously fast application consent activities.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

OAuthAppRegistrationEntraIDAdminUserTokensPermissionsAuditLogsApplicationCertificatesSecretsManagementServicePrincipalAccountCloud

Operators

letagoinextendtostringiffisnotemptyprojectjoinkindonwhere<=>datetime_diff

Severity

High

Tactics

PersistenceCredentialAccess

MITRE Techniques

Frequency: 1h

Period: 2h

Actions

GitHub