KQL Search

Query Details

AR 001 New App Immediate High Privilege Consent

Query

id: a1b2c3d4-0001-4e5f-8901-aabbccddeeff
name: New OAuth App Registration with Immediate High-Privilege Consent
description: |
  Detects a new application registered in Entra ID followed within 10 minutes
  by an admin or user consent to that same application. This two-step pattern is
  characteristic of OAuth phishing infrastructure set up by tools such as
  TokenTactics, ROADtools, and AADInternals to obtain access tokens with broad
  delegated permissions.
  
  Reference: TokenTactics https://github.com/rvrsh3ll/TokenTactics
             ROADtools    https://github.com/dirkjanm/ROADtools
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Persistence
  - CredentialAccess
relevantTechniques:
  - T1098.001
  - T1528
query: |
  let ConsentWindow = 10m;
  let AppCreations = AuditLogs
  | where TimeGenerated > ago(2h)
  | where ActivityDisplayName in (
      "Add application",
      "Create application \u2013 Certificates and secrets management ")
  | extend AppObjectId  = tostring(TargetResources[0].id)
  | extend AppName      = tostring(TargetResources[0].displayName)
  | extend CreatorUPN   = tostring(InitiatedBy.user.userPrincipalName)
  | extend CreatorApp   = tostring(InitiatedBy.app.displayName)
  | extend CreatorActor = iff(isnotempty(CreatorUPN), CreatorUPN, CreatorApp)
  | project CreatedAt = TimeGenerated, AppObjectId, AppName, CreatorActor, CreatorUPN;
  let ConsentEvents = AuditLogs
  | where TimeGenerated > ago(2h)
  | where ActivityDisplayName in (
      "Consent to application",
      "Add delegated permission grant",
      "Add app role assignment to service principal")
  | extend AppObjectId    = tostring(TargetResources[0].id)
  | extend ConsentorUPN   = tostring(InitiatedBy.user.userPrincipalName)
  | extend ConsentorApp   = tostring(InitiatedBy.app.displayName)
  | extend ConsentorActor = iff(isnotempty(ConsentorUPN), ConsentorUPN, ConsentorApp)
  | extend PermDetails    = tostring(AdditionalDetails)
  | project ConsentedAt = TimeGenerated, AppObjectId, ConsentorActor, ConsentorUPN, PermDetails;
  AppCreations
  | join kind=inner ConsentEvents on AppObjectId
  | where ConsentedAt > CreatedAt
  | where ConsentedAt <= CreatedAt + ConsentWindow
  | extend MinutesBetween = datetime_diff('minute', ConsentedAt, CreatedAt)
  | project
      TimeGenerated    = ConsentedAt,
      AppName,
      AppObjectId,
      CreatedAt,
      ConsentedAt,
      MinutesBetween,
      CreatorActor,
      CreatorUPN,
      ConsentorActor,
      ConsentorUPN,
      PermDetails

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: CreatorUPN
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: ConsentorUPN
  - entityType: CloudApplication
    fieldMappings:
      - identifier: Name
        columnName: AppName

customDetails:
  AppObjectId: AppObjectId
  MinutesBetweenCreateAndConsent: MinutesBetween
  PermissionsGranted: PermDetails

alertDetailsOverride:
  alertDisplayNameFormat: "New OAuth App '{{AppName}}' created and immediately consented to by {{ConsentorActor}}"
  alertDescriptionFormat: "App '{{AppName}}' ({{AppObjectId}}) was created by {{CreatorActor}} and consented to by {{ConsentorActor}} {{MinutesBetween}} minute(s) later. This may indicate OAuth phishing infrastructure setup."

suppressionDuration: PT1H
suppressionEnabled: false
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect potentially suspicious activity in an organization's Azure Active Directory (AAD), specifically related to OAuth applications. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify new OAuth applications that are registered and then quickly granted high-privilege access within 10 minutes. This pattern can be indicative of OAuth phishing attacks, where malicious actors use tools to gain unauthorized access.

  2. Data Source: It uses audit logs from Azure Active Directory to track application creation and consent events.

  3. Process:

    • It first looks for new applications that have been created in the last two hours.
    • It then searches for consent events (where permissions are granted to these applications) that occurred within 10 minutes of the application's creation.
    • The query matches these two events based on the application ID.

  4. Output: If such a pattern is detected, the query outputs details including:

    • The time the application was created and consented to.
    • The name and ID of the application.
    • The actors involved in creating the application and granting consent.
    • The time difference between creation and consent.

  5. Severity and Tactics: The query is marked with high severity and is associated with tactics like Persistence and Credential Access, which are common in cyberattacks.

  6. Alert Details: If the query finds a match, it generates an alert with a specific format, highlighting the potential security risk.

  7. Frequency: The query runs every hour and looks back over the past two hours of data.

Overall, this query helps security teams quickly identify and respond to potential OAuth phishing setups by flagging suspiciously fast application consent activities.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

OAuthAppRegistrationEntraIDAdminUserTokensPermissionsAuditLogsApplicationCertificatesSecretsManagementServicePrincipalAccountCloudApplication

Operators

letagoinextendtostringiffisnotemptyprojectjoinkindonwhere<=>datetime_diff

Actions