Query Details

Critical Identities O Auth Grant

Query

// Critical Identities OAuth Grant
// https://www.linkedin.com/posts/0x534c_defenderxdr-customdetection-exposuremanagement-activity-7182677630733725696-MF_U/

// Custom DefenderXDR detection rule for critical identities marked by exposure management for performing an OAuth grant to an application. Bear in mind critical identites hold highly privilege roles, any OAuth grant to any rouge application would be disastrous. Therefore it is vital for SecOps to monitor organization's critical identities OAuth grant unless you have an OAuth Cloud App policy that blocks all grant by default. 🫔

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) 
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountID = tostring(NodeProperties.rawData.accountObjectId)
| distinct AccountID;
CloudAppEvents
| where ActivityType == "Add"
| where ActionType == @"Consent to application."
| where AccountId has_any(CriticalIdentities)


// MITRE ATT&CK Mapping

// The KQL query can be mapped to the following MITRE ATT&CK techniques:

// T1078 - Valid Accounts:
// The query identifies critical accounts that might be used for legitimate access but could be leveraged by adversaries for malicious purposes.

// T1071.001 - Application Layer Protocol: Web Protocols:
// The detection of ā€œConsent to applicationā€ events can be related to the use of web protocols for application consent, which might be exploited by adversaries to gain access to cloud applications.

// T1098 - Account Manipulation:
// The query looks for consent to applications, which can be a form of account manipulation if adversaries are granting permissions to malicious applications.

Explanation

This KQL query is designed to monitor and detect when highly privileged accounts, referred to as "critical identities," grant OAuth permissions to applications. These critical identities are identified based on their high level of privilege within an organization, and any unauthorized OAuth grant to potentially malicious applications could pose a significant security risk. The query works by:

  1. Identifying critical identities from a dataset called ExposureGraphNodes, filtering for those with a criticality level below 4. 2. Extracting the account IDs of these critical identities.
  2. Checking the CloudAppEvents dataset for any "Add" activities where the action type is "Consent to application" and the account involved is one of the critical identities.

The query helps security operations teams (SecOps) keep an eye on OAuth grants by these critical accounts, unless there is a policy in place that blocks all such grants by default.

Additionally, the query is mapped to specific MITRE ATT&CK techniques, indicating potential security threats:

  • T1078 - Valid Accounts: Highlights the risk of legitimate accounts being used for unauthorized access.
  • T1071.001 - Application Layer Protocol: Web Protocols: Points to the use of web protocols for application consent, which could be exploited.
  • T1098 - Account Manipulation: Indicates the risk of account manipulation through unauthorized consent to applications.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodesCloudAppEvents

Keywords

CriticalIdentitiesExposureGraphNodesCategoriesNodePropertiesAccountIDCloudAppEventsActivityTypeActionType

Operators

let|whereset_has_elementisnotnullandextendtostringdistinct==has_any

MITRE Techniques

Actions

GitHub