KQL Search

Query Details

HomeAI ToolsDevice Query

Entra ID Oauth App Info

Query

# Entra ID - Oauth App Information

## Query Information

### Description

Use the below info to query to OAuthAppInfo table in Defender XDR

### Author

- Alex Verboon

#### References

- [OAuthAppInfo (Preview)](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-oauthappinfo-table)

### Microsoft Defender XDR

List relevant information from the OAutahAppInfo Table and count the permissions by Permission Level

```kql
OAuthAppInfo 
| mv-expand Permissions
| extend Permission = tostring(parse_json(Permissions.PermissionValue))
| project
    AppName,
    PrivilegeLevel,
    Permission,
    AppStatus,
    ConsentedUsersCount,
    IsAdminConsented,
    AppOrigin
| summarize
    Permissions = make_set(Permission),
    Low = countif(PrivilegeLevel == "Low"),
    Medium = countif(PrivilegeLevel == "Medium"),
    High = countif(PrivilegeLevel == "High")
    by AppName, ConsentedUsersCount, IsAdminConsented, AppStatus, AppOrigin
| order by High desc, Medium desc, Low desc

```

Explanation

This query is designed to analyze data from the OAuthAppInfo table in Microsoft Defender XDR. It focuses on listing and counting the permissions associated with different OAuth applications, categorized by their privilege levels. Here's a simplified breakdown of what the query does:

  1. Expand Permissions: It starts by expanding the permissions associated with each application.

  2. Extract Permission Details: It converts the permission values into a readable string format.

  3. Select Relevant Information: The query selects specific fields such as the application name, privilege level, permission, application status, the number of users who have consented, whether the app has admin consent, and the origin of the app.

  4. Summarize Data: It summarizes the data by grouping it based on the application name, the number of consented users, admin consent status, application status, and origin. For each group, it:

    • Lists all unique permissions.
    • Counts the number of permissions at each privilege level (Low, Medium, High).

  5. Order Results: Finally, it orders the results by the number of high privilege permissions in descending order, followed by medium and low privilege permissions.

In essence, this query helps identify which applications have the most high-level permissions and provides an overview of their consent status and origin.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 7, 2025

Tables

OAuthAppInfo

Keywords

OAuthAppInfoPermissionsAppNamePrivilegeLevelPermissionAppStatusConsentedUsersCountIsAdminConsentedAppOrigin

Operators

mv-expandextendtostringparse_jsonprojectsummarizemake_setcountifbyorder bydesc

Actions