Query Details
MDA Threat Detection Policy For O Auth Apps With Enriched Information Workload Identity Info
Query
id: 3a2336d2-76e5-4365-a7ef-b8cfed604534
name: MDA Threat detection policy for OAuth Apps with Enriched Information
version: 1.0.0
kind: Scheduled
description: This analytic rule is creating an incident from MDA Threat detection policy with Entity Mapping to Cloud Application and other enrichments from the original event in the SecurityAlert.
severity: Medium
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
query: |+
SecurityAlert
| where ProductName == "Microsoft Cloud App Security" or ProductComponentName == "Anubis"
| mv-expand parse_json(Entities) | where Entities.Type == "oauth-application"
| extend AppId = tostring(Entities.OAuthAppId)
| extend IpAddress = parse_json(ExtendedProperties).["IP Addresses"]
| extend RedirectUris = parse_json(tostring(Entities.RedirectURLs))
| extend AlertDisplayName = tostring(DisplayName)
| extend CommunityUse = tostring(Entities.CommunityUse)
| extend Publisher = tostring(Entities.PublisherName)
| join kind=inner (
PrivilegedWorkloadIdentityInfo
| project
WorkloadIdentityName,
WorkloadIdentityType,
IsFirstPartyApp,
AppId = tostring(ApplicationId),
tostring(ServicePrincipalObjectId),
EnterpriseAccessModelTiering,
EntraIdRoles,
AppRolePermissions
)
on AppId
| join kind=inner (
SecurityIncident
| mv-expand AlertIds
| extend SystemAlertId = tostring(AlertIds)
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| project
SystemAlertId,
IncidentUrl = AdditionalData.providerIncidentUrl,
IncidentStatus = Status,
IncidentName = IncidentNumber
)
on SystemAlertId
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: '{{AlertName}} '
alertDescriptionFormat: '{{Description}} '
alertTacticsColumnName: Tactics
alertSeverityColumnName: AlertSeverity
alertDynamicProperties:
- alertProperty: AlertLink
value: AlertLink
- alertProperty: Techniques
value: Techniques
- alertProperty: ProviderName
value: ProviderName
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: ConfidenceLevel
value: ConfidenceLevel
- alertProperty: ConfidenceScore
value: ConfidenceScore
- alertProperty: ExtendedLinks
value: ExtendedLinks
- alertProperty: ProductName
value: ProductName
- alertProperty: ProductComponentName
value: ProductComponentName
customDetails:
WorkloadIdentityName: WorkloadIdentityName
WorkloadIdentityType: WorkloadIdentityType
ServicePrincipalId: ServicePrincipalObjectId
ApplicationId: AppId
IsFirstPartyApp: IsFirstPartyApp
PrivilegedAccess: EnterpriseAccessModelTiering
EntraDirectoryRoles: EntraIdRoles
MSGraphRoles: AppRolePermissions
CommunityUse: CommunityUse
Vendor: Publisher
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: AppId
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: WorkloadIdentityName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IpAddress
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RedirectUris
suppressionDuration: 5h
Explanation
This query is used to create an incident from a threat detection policy. It looks for events in the SecurityAlert table where the ProductName is "Microsoft Cloud App Security" or the ProductComponentName is "Anubis". It then expands the Entities column and filters for events with Type "oauth-application". It extends the AppId, IpAddress, RedirectUris, AlertDisplayName, CommunityUse, and Publisher columns. It joins the PrivilegedWorkloadIdentityInfo table on the AppId column and the SecurityIncident table on the SystemAlertId column. The query has a frequency and period of 1 hour and a trigger threshold of 0. The incident configuration is set to create incidents with grouping enabled and a lookback duration of 5 hours. The alert details override section specifies the format and properties for the alert. The entity mappings section maps columns to entity types. The suppression duration is set to 5 hours.
Details
Thomas Naunheim
Released: December 9, 2023
Tables
SecurityAlert
PrivilegedWorkloadIdentityInfo
SecurityIncident
Keywords
Devices,Intune,User,OAuthApps,EnrichedInformation,MDAThreatdetectionpolicy,CloudApplication,SecurityAlert,ProductName,ProductComponentName,Anubis,Entities,oauth-application,AppId,IpAddress,ExtendedProperties,RedirectUris,DisplayName,CommunityUse,Publisher,PrivilegedWorkloadIdentityInfo,WorkloadIdentityName,WorkloadIdentityType,IsFirstPartyApp,ApplicationId,ServicePrincipalObjectId,EnterpriseAccessModelTiering,EntraIdRoles,AppRolePermissions,SecurityIncident,AlertIds,SystemAlertId,TimeGenerated,AdditionalData.providerIncidentUrl,Status,IncidentNumber,suppressionEnabled,createIncident,groupingConfiguration,enabled,reopenClosedIncident,lookbackDuration,matchingMethod,AllEntities,groupByEntities,groupByAlertDetails,groupByCustomDetails,eventGroupingSettings,aggregationKind,AlertPerResult,alertDisplayNameFormat,alertDescriptionFormat,alertTacticsColumnName,alertSeverityColumnName,alertDynamicProperties,AlertLink,Techniques,ProviderName,RemediationSteps,ConfidenceLevel,ConfidenceScore,ExtendedLinks,ProductName,ProductComponentName,customDetails,WorkloadIdentityName,WorkloadIdentityType,ServicePrincipalObjectId,AppId,IsFirstPartyApp,EnterpriseAccessModelTiering,EntraIdRoles,AppRolePermissions,CommunityUse,Publisher,entityMappings,CloudApplication,fieldMappings,identifier,AppId,columnName,Name,IpAddress,Address,Url,RedirectUris,suppressionDuration.
Operators
whereormv-expandparse_jsonextendtostringjoinprojectsummarizearg_maxbyonsuppressionEnabledcreateIncidentenabledreopenClosedIncidentlookbackDurationmatchingMethodgroupByEntitiesgroupByAlertDetailsgroupByCustomDetailsaggregationKindalertDisplayNameFormatalertDescriptionFormatalertTacticsColumnNamealertSeverityColumnNamealertDynamicPropertiescustomDetailsentityMappings