Cloud App Privilege O Auth Grant
Query
//CloudApp Privilege OAuth Grant
//https://www.linkedin.com/feed/update/urn:li:activity:7167157961109303296/
//Custom KQL Defender detection rule running at continuous NRT (Near Real-Time) detecting assignments of high privileged permissions to OAuth application in seconds!
CloudAppEvents
| where ActionType == "Consent to application." and AccountType == "Admin"
| extend AdminUPN = tostring(RawEventData.UserId)
| extend ConsentData = tostring(RawEventData.ModifiedProperties)
| project Timestamp, AdminUPN, ActionType, ObjectName, ConsentData, ReportId
// MITRE ATT&CK Mapping
// The KQL query is primarily focused on detecting administrative consent to applications, which can be mapped to the following MITRE ATT&CK techniques:
// T1078 - Valid Accounts:
// Description: Adversaries may leverage valid accounts to gain access to and interact with systems, including using administrative accounts to consent to applications.
// Detection: Monitoring for unusual or unauthorized use of administrative accounts, especially for actions like consenting to applications, can help detect this technique.
// T1098 - Account Manipulation:
// Description: Adversaries may manipulate accounts to maintain access to systems, including granting consent to applications that may provide additional access or capabilities.
// Detection: Detecting changes in account permissions or consent to applications by administrative accounts can indicate potential account manipulation.
// T1071 - Application Layer Protocol:
// Description: Adversaries may use application layer protocols to communicate with systems under their control, including using OAuth tokens obtained through consent to applications.
// Detection: Monitoring for unusual application consent activities can help identify potential misuse of application layer protocols.
// By mapping the KQL query to these MITRE ATT&CK techniques, you can better understand the potential threats and improve your detection capabilities.Explanation
This query is designed to monitor and detect when high-level permissions are granted to OAuth applications by administrators in near real-time. Here's a simple breakdown:
-
Purpose: The query identifies instances where an admin consents to an application, which could potentially grant the application high-level access or permissions.
-
Process:
- It looks at events related to cloud applications.
- Specifically, it filters for actions where an admin has consented to an application.
- It extracts and displays details like the timestamp of the event, the admin's user ID, the action type, the application's name, and any changes made during the consent process.
-
Security Context:
- The query is linked to certain security techniques from the MITRE ATT&CK framework, which helps in understanding potential security threats:
- T1078 (Valid Accounts): It checks for unauthorized use of admin accounts.
- T1098 (Account Manipulation): It looks for changes in account permissions that could indicate manipulation.
- T1071 (Application Layer Protocol): It monitors for unusual consent activities that might suggest misuse of communication protocols.
- The query is linked to certain security techniques from the MITRE ATT&CK framework, which helps in understanding potential security threats:
By using this query, security teams can quickly detect and respond to potentially unauthorized or risky permissions being granted to applications, enhancing overall security posture.
