Query Details
KQL Query To Oversee The Privileged O Auth Grants Allocated To The Microsoft Graph Command Line Tools O Auth App
Query
// KQL query to oversee the privileged OAuth grants allocated to the Microsoft Graph Command Line Tools OAuth App // https://www.linkedin.com/posts/activity-7212728685601116161-qmd4/ // The Microsoft Graph Command Line Tools OAuth App, which possesses a High permission level, has received verification from Microsoft. It’s crucial for Security Operations teams to monitor the usage and consent of this tool within your organization’s M365/Azure admin framework to guarantee compliance with established change control procedures. Utilize the following KQL query to oversee the privileged OAuth grants allocated to this tool. CloudAppEvents | where TimeGenerated > ago(90d) | where ActionType == "Consent to application." and AccountType == "Admin" | where ObjectName contains "Microsoft Graph"
Explanation
This KQL query is designed to help Security Operations teams monitor the use and consent of the Microsoft Graph Command Line Tools OAuth App within an organization's Microsoft 365/Azure environment. Here's a simple summary of what the query does:
- Data Source: It looks at events from
CloudAppEvents. - Time Frame: It filters events that have occurred in the last 90 days.
- Action Type: It focuses on events where the action type is "Consent to application."
- Account Type: It further narrows down to events where the account type is "Admin".
- Application Name: Finally, it filters for events related to applications whose names contain "Microsoft Graph".
In essence, this query helps you track when administrators have given consent to the Microsoft Graph Command Line Tools OAuth App within the last 90 days.
Details
Steven Lim
Released: August 2, 2024
Tables
CloudAppEvents
Keywords
CloudAppEventsTimeGeneratedActionTypeAccountTypeObjectNameMicrosoftGraph
Operators
>|==containsago