MDA App Governance Alerts With Enriched Information
Query
SecurityAlert
| where ProductName == "Microsoft Application Protection"
| where TimeGenerated > ago(1h)
| extend CloudAppUrl = parse_url(Description)
| extend CloudAppUrlParam = parse_json(tostring(CloudAppUrl.["Query Parameters"])).oauthAppId
| extend AppId = tostring(toguid(CloudAppUrlParam))
| extend Category = tostring(parse_json(ExtendedProperties).Category)
| extend AlertDisplayName = tostring(DisplayName)
| join kind=inner (
PrivilegedWorkloadIdentityInfo
| project
WorkloadIdentityName,
WorkloadIdentityType,
IsFirstPartyApp,
AppId = tostring(ApplicationId),
tostring(ServicePrincipalObjectId),
EnterpriseAccessModelTiering,
EntraIdRoles,
AppRolePermissions
)
on AppId
| join kind=inner (
SecurityIncident
| mv-expand AlertIds
| extend SystemAlertId = tostring(AlertIds)
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| project
SystemAlertId,
IncidentUrl = AdditionalData.providerIncidentUrl,
IncidentStatus = Status,
IncidentName = IncidentNumber
)
on SystemAlertIdExplanation
This query is part of a scheduled analytic rule designed to monitor and create incidents from Microsoft Defender for Cloud Apps (MDA) governance alerts. Here's a simplified breakdown of what the query does:
-
Source and Filtering: It starts by filtering security alerts from Microsoft Application Protection that were generated in the last hour.
-
Data Enrichment:
- Extracts and processes the URL from the alert description to get the OAuth application ID.
- Retrieves additional details like the category and display name of the alert.
-
Joining Data:
- It joins this data with information from the
PrivilegedWorkloadIdentityInfotable to get details about the application, such as its name, type, whether it's a first-party app, and its roles and permissions. - It also joins with the
SecurityIncidenttable to get incident details like the incident URL, status, and name.
- It joins this data with information from the
-
Incident Creation:
- If the conditions are met, it creates an incident with medium severity.
- The incident configuration includes grouping settings to manage how incidents are grouped and whether closed incidents should be reopened.
-
Alert Customization:
- The alert details are customized with specific formats for display name and description.
- Additional properties like alert link, techniques, provider name, and remediation steps are included.
-
Entity Mapping:
- It maps the application ID and workload identity name to a cloud application entity type for better tracking and management.
-
Suppression:
- Alerts are suppressed for 5 hours to prevent duplicate alerts from being generated too frequently.
Overall, this query automates the process of monitoring, enriching, and creating incidents from MDA governance alerts, providing detailed information and context to security teams for further investigation and response.
Details

Thomas Naunheim
Released: November 18, 2023
Tables
Keywords
Operators
Severity
MediumFrequency: 1h
Period: 1h