DCA Potential Consent Phishing

//Detect when a user flags a risky sign in within 8 hours of installing a service principal, could be a sign of OAuth consent phishing. This example uses 8 hours between events. //Data connector required for this query - M365 Defender - CloudAppEvents //Microsoft Sentinel query. This query could also use Azure AD audit logs as a trigger but this example uses Defender for Cloud App logs. let threshold=8; CloudAppEvents | where ActionType == "Add service principal." | where AccountType == "Regular" | extend UserId = tostring(RawEventData.UserId) | project ['Service Principal Install Time']=TimeGenerated, UserId, ['Service Principal Name']=ObjectName | join kind=inner ( AADUserRiskEvents | where DetectionTimingType == "realtime" | where RiskDetail !in ("aiConfirmedSigninSafe", "userPerformedSecuredPasswordReset") | project ['Risk Event Time']=TimeGenerated, UserId=UserPrincipalName, ['Risk Event IP']=IpAddress ) on UserId | extend ['Minutes Between Events']=datetime_diff("hour", ['Service Principal Install Time'], ['Risk Event Time']) | where ['Minutes Between Events'] < threshold | project UserId, ['Risk Event Time'], ['Service Principal Install Time'], ['Minutes Between Events'], ['Risk Event IP'], ['Service Principal Name'] //Advanced Hunting query //Data connector required for this query - Advanced Hunting license let threshold=8; CloudAppEvents | where ActionType == "Add service principal." | where AccountType == "Regular" | extend UserId = tostring(RawEventData.UserId) | project ['Service Principal Install Time']=Timestamp, UserId, ['Service Principal Name']=ObjectName | join kind=inner ( AADSignInEventsBeta | where RiskLevelDuringSignIn in (50, 100) | project ['Risk Event Time']=Timestamp, UserId=AccountUpn, ['Risk Event IP']=IPAddress ) on UserId | extend ['Minutes Between Events']=datetime_diff("hour", ['Service Principal Install Time'], ['Risk Event Time']) | where ['Minutes Between Events'] < threshold | project UserId, ['Risk Event Time'], ['Service Principal Install Time'], ['Minutes Between Events'], ['Risk Event IP'], ['Service Principal Name']

Explanation

This query is used to detect when a user flags a risky sign-in within 8 hours of installing a service principal. This could be a sign of OAuth consent phishing. The query retrieves data from the M365 Defender - CloudAppEvents data connector or the Advanced Hunting license. It filters for "Add service principal" actions performed by regular user accounts and joins it with AADUserRiskEvents or AADSignInEventsBeta data based on the user ID. It calculates the time difference between the service principal installation and the risk event and filters for events that occurred within 8 hours. The query then projects relevant information such as the user ID, risk event time, service principal installation time, minutes between events, risk event IP, and service principal name.

Details

Matt Zorich

Released: June 17, 2022

Tables

CloudAppEventsAADUserRiskEvents CloudAppEventsAADSignInEventsBeta

Keywords

User,CloudAppEvents,ActionType,AccountType,RawEventData,UserId,TimeGenerated,ObjectName,AADUserRiskEvents,DetectionTimingType,RiskDetail,UserPrincipalName,IpAddress,MinutesBetweenEvents,RiskEventTime,ServicePrincipalInstallTime,RiskEventIP,AADSignInEventsBeta,RiskLevelDuringSignIn,Timestamp,AccountUpn,IPAddress

Operators

| where| extend| project| join| on| datetime_diff| in| ==| !=

KQL Search