Query Details

Cloud App Privilege O Auth Grant

Query

//CloudApp Privilege OAuth Grant
//https://www.linkedin.com/feed/update/urn:li:activity:7167157961109303296/

//Custom KQL Defender detection rule running at continuous NRT (Near Real-Time) detecting assignments of high privileged permissions to OAuth application in seconds!

CloudAppEvents
| where ActionType == "Consent to application." and AccountType == "Admin"
| extend AdminUPN = tostring(RawEventData.UserId)
| extend ConsentData = tostring(RawEventData.ModifiedProperties)
| project Timestamp, AdminUPN, ActionType, ObjectName, ConsentData, ReportId

// MITRE ATT&CK Mapping

// The KQL query is primarily focused on detecting administrative consent to applications, which can be mapped to the following MITRE ATT&CK techniques:

// T1078 - Valid Accounts:
// Description: Adversaries may leverage valid accounts to gain access to and interact with systems, including using administrative accounts to consent to applications.
// Detection: Monitoring for unusual or unauthorized use of administrative accounts, especially for actions like consenting to applications, can help detect this technique.

// T1098 - Account Manipulation:
// Description: Adversaries may manipulate accounts to maintain access to systems, including granting consent to applications that may provide additional access or capabilities.
// Detection: Detecting changes in account permissions or consent to applications by administrative accounts can indicate potential account manipulation.

// T1071 - Application Layer Protocol:
// Description: Adversaries may use application layer protocols to communicate with systems under their control, including using OAuth tokens obtained through consent to applications.
// Detection: Monitoring for unusual application consent activities can help identify potential misuse of application layer protocols.

// By mapping the KQL query to these MITRE ATT&CK techniques, you can better understand the potential threats and improve your detection capabilities.

Explanation

This query is designed to monitor and detect when high-level permissions are granted to OAuth applications by administrators in near real-time. Here's a simple breakdown:

  1. Purpose: The query identifies instances where an admin consents to an application, which could potentially grant the application high-level access or permissions.

  2. Process:

    • It looks at events related to cloud applications.
    • Specifically, it filters for actions where an admin has consented to an application.
    • It extracts and displays details like the timestamp of the event, the admin's user ID, the action type, the application's name, and any changes made during the consent process.
  3. Security Context:

    • The query is linked to certain security techniques from the MITRE ATT&CK framework, which helps in understanding potential security threats:
      • T1078 (Valid Accounts): It checks for unauthorized use of admin accounts.
      • T1098 (Account Manipulation): It looks for changes in account permissions that could indicate manipulation.
      • T1071 (Application Layer Protocol): It monitors for unusual consent activities that might suggest misuse of communication protocols.

By using this query, security teams can quickly detect and respond to potentially unauthorized or risky permissions being granted to applications, enhancing overall security posture.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsAdminUPNActionTypeObjectNameConsentDataReportIdTimestampRawEventDataUserIdModifiedProperties

Operators

CloudAppEventswhere==andextendtostringproject

MITRE Techniques

Actions

GitHub