Critical Identities O Auth Grant

// Critical Identities OAuth Grant // https://www.linkedin.com/posts/0x534c_defenderxdr-customdetection-exposuremanagement-activity-7182677630733725696-MF_U/ // Custom DefenderXDR detection rule for critical identities marked by exposure management for performing an OAuth grant to an application. Bear in mind critical identites hold highly privilege roles, any OAuth grant to any rouge application would be disastrous. Therefore it is vital for SecOps to monitor organization's critical identities OAuth grant unless you have an OAuth Cloud App policy that blocks all grant by default. 🫡 let CriticalIdentities = ExposureGraphNodes | where set_has_element(Categories, "identity") | where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 | extend AccountID = tostring(NodeProperties.rawData.accountObjectId) | distinct AccountID; CloudAppEvents | where ActivityType == "Add" | where ActionType == @"Consent to application." | where AccountId has_any(CriticalIdentities)

Explanation

This query is designed to monitor OAuth grants made by critical identities within an organization. Here's a simplified breakdown:

Identify Critical Identities:
- It first identifies critical identities from the ExposureGraphNodes table. These are users with high privilege roles.
- It filters out identities with a criticality level less than 4 and extracts their account IDs.
Monitor OAuth Grants:
- It then looks at the CloudAppEvents table for any "Add" activities where the action type is "Consent to application."
- It checks if any of these activities involve the critical identities identified earlier.

In essence, this query helps security operations teams keep an eye on OAuth grants made by highly privileged users to ensure no unauthorized or rogue applications are granted access.

KQL Search

Critical Identities O Auth Grant

Query

Explanation

Details

Actions