KQL Search

Query Details

HomeAI ToolsDevice Query

Unused High Priv Permissions

Query

# Identify unused high privileged application permissions

## Query Information

#### Description
The query below identifies unused high privileged application permissions. These permissions can be revoked from the application to adhere to the least privileged principle.

#### Risk
Having unused permissions is not in line with assigning least privilige to applications. Unused applications can be abused if adversaries get access to the application.

## Defender XDR
```KQL
OAuthAppInfo
| summarize arg_max(Timestamp, *) by OAuthAppId
| mv-expand Permissions
| extend PermissionValue = tostring(Permissions.PermissionValue), InUse = tobool(Permissions.InUse), PrivilegeLevel = tostring(Permissions.PrivilegeLevel)
| where InUse == false and PrivilegeLevel == "High"
| summarize TotalMailPermissions = dcount(PermissionValue), Permissions = make_set(PermissionValue) by OAuthAppId, AppName, AppOrigin
```

## Sentinel
```KQL
OAuthAppInfo
| summarize arg_max(TimeGenerated, *) by OAuthAppId
| mv-expand Permissions
| extend PermissionValue = tostring(Permissions.PermissionValue), InUse = tobool(Permissions.InUse), PrivilegeLevel = tostring(Permissions.PrivilegeLevel)
| where InUse == false and PrivilegeLevel == "High"
| summarize TotalMailPermissions = dcount(PermissionValue), Permissions = make_set(PermissionValue) by OAuthAppId, AppName, AppOrigin
```

Explanation

This query is designed to identify high-privileged permissions assigned to applications that are not currently being used. The goal is to help maintain security by adhering to the principle of least privilege, which means giving applications only the permissions they need to function and no more. Unused high-privileged permissions can pose a security risk if they are exploited by malicious actors.

Here's a breakdown of what the query does:

  1. Data Source: It starts by accessing a dataset called OAuthAppInfo, which contains information about applications and their permissions.

  2. Latest Record Selection: It uses the summarize arg_max() function to select the most recent record for each application (OAuthAppId).

  3. Permission Expansion: The mv-expand function is used to break out the permissions associated with each application into separate rows.

  4. Data Transformation: The query converts permission details into a readable format, extracting the permission value, its usage status (InUse), and privilege level.

  5. Filter Criteria: It filters out permissions that are not in use (InUse == false) and have a high privilege level (PrivilegeLevel == "High").

  6. Summary: Finally, it summarizes the results by counting the distinct unused high-privileged permissions for each application and listing these permissions. The summary includes the application ID, name, and origin.

The query is essentially the same for both Defender XDR and Sentinel, with a slight difference in the timestamp field used (Timestamp vs. TimeGenerated).

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 14, 2025

Tables

OAuthAppInfo

Keywords

OAuthAppInfoPermissionsOAuthAppIdAppNameAppOriginPermissionValuePrivilegeLevel

Operators

summarizearg_maxbymv-expandextendtostringtoboolwhere==andsummarizedcountmake_set

Actions