KQL Search

Query Details

HomeAI ToolsDevice Query

O Auth Permissions Added Removed

Query

//Query to find OAuth applications where permissions were added and removed within 10 minutes

//Data connector required for this query - Azure Active Directory - Audit Logs

let PermissionAddedAlert=
    AuditLogs
    | where OperationName has "Add app role assignment to service principal"
    | extend UserWhoAdded = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | extend PermissionAdded = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
    | extend AppId = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[5].newValue)))
    | extend TimeAdded = TimeGenerated
    | project UserWhoAdded, PermissionAdded, AppId, TimeAdded;
let PermissionRemovedAlert=
    AuditLogs
    | where OperationName has "Remove app role assignment from service principal"
    | extend UserWhoRemoved = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | extend PermissionRemoved = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
    | extend AppId = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[5].newValue)))
    | extend TimeRemoved = TimeGenerated
    | project UserWhoRemoved, PermissionRemoved, AppId, TimeRemoved;
PermissionAddedAlert
| join kind=inner PermissionRemovedAlert on AppId
| where abs(datetime_diff('minute', TimeAdded, TimeRemoved)) <= 10
| extend TimeDiff = TimeAdded - TimeRemoved
| project
    TimeAdded,
    UserWhoAdded,
    PermissionAdded,
    AppId,
    TimeRemoved,
    UserWhoRemoved,
    PermissionRemoved,
    TimeDiff

Explanation

This query is used to find OAuth applications where permissions were added and removed within a 10-minute timeframe. It utilizes the Azure Active Directory - Audit Logs data connector.

The query first identifies the permissions that were added to service principals and retrieves information such as the user who added the permission, the permission added, the application ID, and the time it was added.

Next, it identifies the permissions that were removed from service principals and retrieves information such as the user who removed the permission, the permission removed, the application ID, and the time it was removed.

The query then joins the two sets of data based on the application ID and filters for cases where the time difference between the permission added and removed is within 10 minutes.

Finally, it calculates the time difference between the permission added and removed and projects the relevant information such as the time added, user who added, permission added, application ID, time removed, user who removed, permission removed, and the time difference.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AuditLogs

Keywords

OAuth,Applications,Permissions,Added,Removed,10Minutes,DataConnector,AzureActiveDirectory,AuditLogs,PermissionAddedAlert,PermissionRemovedAlert,OperationName,Addapproleassignmenttoserviceprincipal,Removeapproleassignmentfromserviceprincipal,UserWhoAdded,UserWhoRemoved,PermissionAdded,PermissionRemoved,AppId,TimeAdded,TimeRemoved,TimeDiff

Operators

whereextendtostringparse_jsonTimeGeneratedprojectjoinkindabsdatetime_diff

Actions