KQL Search

Query Details

HomeAI ToolsDevice Query

All Graph Permissions Added

Query

# List *.All MS Graph Permissions Added

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1098 | Account Manipulation | https://attack.mitre.org/techniques/T1098/ |

#### Description
This rule detects the usage of *.All Microsoft Graph permissions that are added. *.All permissions should be scoped if possible, this ensures that the least privilege principle can still be applied. You should monitor for overpermissive applications and rare permissions that are added to applications.

#### Risk
*.All permissions are very permissive and should be limited, adversaries can use those credentials to access *.All data when those permissions are assigned.

#### References
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://github.com/f-bader/AzSentinelQueries/blob/master/HuntingQueries/GrantHighPrivilegeMicrosoftGraphPermissions.yaml

## Sentinel
```KQL
AuditLogs
| where Category == "ApplicationManagement"
| where ActivityDisplayName in ("Add delegated permission grant", "Add app role assignment to service principal")
| mv-expand TargetResources
| where TargetResources.displayName == "Microsoft Graph"
| mv-expand TargetResources.modifiedProperties
| extend InitiatedByUserPrincipalName = InitiatedBy.user.userPrincipalName
| extend AddedPermission = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| extend IP = todynamic(InitiatedBy).user.ipAddress
| extend ServicePrincipalAppId = replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"','')
| where AddedPermission endswith ".All"
| project-reorder TimeGenerated, InitiatedByUserPrincipalName, ActivityDisplayName, AddedPermission, IP, ServicePrincipalAppId
```

Explanation

This query is used to detect the usage of Microsoft Graph permissions that have the ".All" suffix. These permissions are very permissive and should be limited. The query looks for activities related to adding delegated permission grants or app role assignments to service principals in the ApplicationManagement category. It then expands the target resources and filters for those related to Microsoft Graph. The query retrieves information such as the user who initiated the activity, the added permission, the IP address, and the service principal's App ID. Finally, it filters for added permissions that end with ".All" and presents the results in a specific order.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 20, 2023

Tables

AuditLogs

Keywords

Devices,Intune,User

Operators

whereCategory=="ApplicationManagement"ActivityDisplayNamein("Add delegated permission grant""Add app role assignment to service principal")mv-expandTargetResourceswhereTargetResources.displayName=="Microsoft Graph"mv-expandTargetResources.modifiedPropertiesextendInitiatedByUserPrincipalName=InitiatedBy.user.userPrincipalNameextendAddedPermission=replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')extendIP=todynamic(InitiatedBy).user.ipAddressextendServicePrincipalAppId=replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"','')whereAddedPermissionendswith".All"project-reorderTimeGeneratedInitiatedByUserPrincipalNameActivityDisplayNameAddedPermissionIPServicePrincipalAppId

Actions