KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Anomalous External O Auth App Activity Using Actor Info String

Query

// Detect anomalous external OAuthApp activity using ActorInfoString
// https://techcommunity.microsoft.com/blog/microsoft-security-blog/introducing-actorinfostring-a-new-era-of-audit-log-accuracy-in-exchange-online/4408093

CloudAppEvents
| where Timestamp > ago(1h)
| where Application == @"Microsoft Exchange Online"
| where isnotempty(parse_json(RawEventData)["ActorInfoString"])
| extend ActorInfoString = tostring(parse_json(RawEventData)["ActorInfoString"])
| where UncommonForUser has "CountryCode" and UncommonForUser has "UserAgent"
| where isnotempty(OAuthAppId)
| join OAuthAppInfo on OAuthAppId
| where AppOrigin == @"External"

Explanation

This query is designed to detect unusual activity related to external OAuth applications in Microsoft Exchange Online. Here's a simplified breakdown of what it does:

  1. Data Source: It starts by looking at events from the CloudAppEvents table.

  2. Time Frame: It focuses on events that occurred within the last hour.

  3. Application Filter: It specifically examines events related to "Microsoft Exchange Online".

  4. Actor Information: It checks if the ActorInfoString field in the event data is not empty, which contains detailed information about the actor performing the action.

  5. Extract Actor Info: It extracts the ActorInfoString from the raw event data for further analysis.

  6. Uncommon Activity: It filters for events that have unusual characteristics for the user, specifically looking for entries that include "CountryCode" and "UserAgent" in the UncommonForUser field.

  7. OAuth Application: It ensures that the event is associated with an OAuth application by checking that the OAuthAppId is not empty.

  8. Join with App Info: It joins the event data with the OAuthAppInfo table using the OAuthAppId to get more details about the application.

  9. External Origin: Finally, it filters for applications that originate externally, as indicated by the AppOrigin field being "External".

Overall, this query is used to identify potentially suspicious or anomalous activities involving external OAuth applications in Exchange Online by analyzing recent events with specific characteristics.

Details

Steven Lim profile picture

Steven Lim

Released: June 28, 2025

Tables

CloudAppEventsOAuthAppInfo

Keywords

CloudAppEvents Timestamp Application RawEventData ActorInfoString UncommonForUser CountryCode UserAgent OAuthAppId OAuthAppInfo AppOrigin

Operators

agoparse_jsonisnotemptyextendtostringhasjoin

Actions