Query Details

KQL Query To Oversee The Privileged O Auth Grants Allocated To The Microsoft Graph Command Line Tools O Auth App

Query

// KQL query to oversee the privileged OAuth grants allocated to the Microsoft Graph Command Line Tools OAuth App
// https://www.linkedin.com/posts/activity-7212728685601116161-qmd4/

// The Microsoft Graph Command Line Tools OAuth App, which possesses a High permission level, has received verification from Microsoft. It’s crucial for Security Operations teams to monitor the usage and consent of this tool within your organization’s M365/Azure admin framework to guarantee compliance with established change control procedures. Utilize the following KQL query to oversee the privileged OAuth grants allocated to this tool.

CloudAppEvents
| where TimeGenerated > ago(90d)
| where ActionType == "Consent to application." and AccountType == "Admin"
| where ObjectName contains "Microsoft Graph"

// MITRE ATT&CK Mapping

// This query is related to the following MITRE ATT&CK techniques:

// T1078 - Valid Accounts: The use of valid accounts to gain access to resources. In this case, an admin account consenting to an application.
// T1098 - Account Manipulation: The consent to an application by an admin could be seen as a form of account manipulation, especially if the consent is unauthorized.
// T1071 - Application Layer Protocol: The use of Microsoft Graph API, which is an application layer protocol.

Explanation

This KQL query is designed to help security teams monitor the use of a specific OAuth application, the Microsoft Graph Command Line Tools, within an organization's Microsoft 365 or Azure environment. The query focuses on identifying when an admin account has granted consent to this application, which has high-level permissions and has been verified by Microsoft. The query looks at events from the past 90 days and filters for actions where an admin has consented to the application, specifically targeting instances related to the Microsoft Graph.

Additionally, the query is linked to certain MITRE ATT&CK techniques, which are frameworks for understanding potential security threats:

  • T1078 - Valid Accounts: This involves the use of legitimate admin accounts to grant access to resources, in this case, consenting to an application.
  • T1098 - Account Manipulation: This refers to the possibility of unauthorized consent being given by an admin, which could be seen as manipulating account permissions.
  • T1071 - Application Layer Protocol: This involves the use of the Microsoft Graph API, which operates at the application layer of network protocols.

Overall, the query helps ensure that the use and consent of this powerful tool are in line with the organization's security and compliance policies.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsTimeGeneratedActionTypeAccountTypeObjectNameMicrosoftGraphAdminApplicationConsentSecurityOperationsComplianceM365AzureFrameworkChangeControlProceduresMITREATT&CKValidAccountsAccountManipulationLayerProtocol

Operators

CloudAppEventswhereTimeGeneratedagoActionTypeAccountTypeObjectNamecontains

MITRE Techniques

Actions

GitHub