KQL Search

Query Details

HomeAI ToolsDevice Query

Grant High Privilege Microsoft Graph Permissions

Query

id: e57acdbc-fc60-42eb-8666-da9ce7bbf66e
name: Grant high privilege Microsoft Graph permissions
description: |
  'Identifies when an Application registration was granted a high privilege Microsoft Graph permission'
severity: Medium
requiredDataConnectors:
  - connectorId: AuditLogs
    dataTypes:
      - AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
relevantTechniques:
  - T1098
query: |
  let DangerousPermissions = dynamic(["AppRoleAssignment.ReadWrite.All","Application.ReadWrite.All","RoleManagement.ReadWrite.Directory"]);
  AuditLogs
  | where OperationName == "Add app role assignment to service principal"
  | mv-expand TargetResources
  | mv-expand TargetResources.modifiedProperties
  | where TargetResources_modifiedProperties.displayName == "AppRole.Value"
  | extend InitiatedByUserPrincipalName = InitiatedBy.user.userPrincipalName
  | extend AddedPermission = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
  | where AddedPermission in~ ( DangerousPermissions )
  | extend IPCustomEntity = todynamic(InitiatedBy).user.ipAddress
  | extend ServicePrincipalAppId = todynamic(TargetResources).modifiedProperties[5].displayName
  | project timestamp = TimeGenerated, IPCustomEntity, AccountCustomEntity=InitiatedByUserPrincipalName, ServicePrincipalAppId, AddedPermission
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to identify when an application registration is granted a high privilege Microsoft Graph permission. It looks for specific operations in the Audit Logs related to adding app role assignments to service principals. It then expands and filters the target resources to find the modified properties related to the "AppRole.Value" display name. The query also retrieves information about the user who initiated the action, the added permission, the IP address of the user, and the service principal's application ID. The results are mapped to the Account and IP entities for further analysis. The query runs daily and has a medium severity level. It is relevant to the Persistence tactic and the T1098 technique.

Details

Fabian Bader profile picture

Fabian Bader

Released: March 25, 2022

Tables

AuditLogs

Keywords

Devices,Intune,User,Application,Role,AuditLogs

Operators

|:=-.()[]mv-expandwhereextendreplace_stringtostringin~todynamicproject

Actions