Cloud App Privilege O Auth Grant

//CloudApp Privilege OAuth Grant //https://www.linkedin.com/feed/update/urn:li:activity:7167157961109303296/ //Custom KQL Defender detection rule running at continuous NRT (Near Real-Time) detecting assignments of high privileged permissions to OAuth application in seconds! CloudAppEvents | where ActionType == "Consent to application." and AccountType == "Admin" | extend AdminUPN = tostring(RawEventData.UserId) | extend ConsentData = tostring(RawEventData.ModifiedProperties) | project Timestamp, AdminUPN, ActionType, ObjectName, ConsentData, ReportId

Explanation

This KQL (Kusto Query Language) query is designed to detect when high-privilege permissions are granted to OAuth applications in near real-time. Here's a simple summary:

Source Table: The query looks at the CloudAppEvents table.
Filter Criteria: It filters events where the action type is "Consent to application" and the account type is "Admin".
Extract Data: It extracts the admin's user principal name (UPN) and the consent data from the raw event data.
Select Columns: It selects and displays the following columns: Timestamp, AdminUPN, ActionType, ObjectName, ConsentData, and ReportId.

In essence, this query identifies and provides details about instances where an admin consents to an application, granting it high-privilege permissions.

KQL Search

Cloud App Privilege O Auth Grant

Query

Explanation

Details

Actions