Using Graph Pre Consent Explorer Data For Microsoft Graph Threat Hunting
Query
// Using GraphPreConsentExplorer data for Microsoft Graph Threat Hunting
let GraphPreConsent=externaldata(Name:string, Client_Id:string, Enabled:string, Graph_api_permissions:string,
Auth_code:string, Device_code:string, Brk_refresh:string, Foci:string, Reply_addresses:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/GraphPreConsent.csv'];
//
// Microsoft Graph Threat Hunting
//
MicrosoftGraphActivityLogs
| join GraphPreConsent on $left.AppId == $right.Client_Id
// Threat hunting QueryExplanation
This query is designed for threat hunting using Microsoft Graph data. Here's a simplified explanation of what it does:
-
Data Source Definition: It starts by defining an external data source named
GraphPreConsent. This data source is a CSV file hosted on GitHub and contains information about various applications, including their names, client IDs, and permissions related to Microsoft Graph API. -
Data Fields: The CSV file includes fields such as
Name,Client_Id,Enabled,Graph_api_permissions, and several others related to authentication and reply addresses. -
Data Joining: The query then uses the
MicrosoftGraphActivityLogstable, which contains logs of activities related to Microsoft Graph. It performs a join operation between this table and theGraphPreConsentdata on the condition that theAppIdfrom theMicrosoftGraphActivityLogsmatches theClient_Idfrom theGraphPreConsentdata. -
Purpose: The main goal of this query is to identify and analyze activities related to specific applications that have pre-consented permissions in Microsoft Graph. This can help in detecting potential security threats or unauthorized access patterns by correlating activity logs with known application permissions.
In essence, this query is part of a threat hunting process that leverages pre-consent data to enhance the analysis of Microsoft Graph activity logs for security monitoring.
Details

Steven Lim
Released: February 10, 2025
Tables
Keywords
Operators