Detect Anomalous External O Auth App Activity Using Actor Info String
Query
// Detect anomalous external OAuthApp activity using ActorInfoString
// https://techcommunity.microsoft.com/blog/microsoft-security-blog/introducing-actorinfostring-a-new-era-of-audit-log-accuracy-in-exchange-online/4408093
CloudAppEvents
| where Timestamp > ago(1h)
| where Application == @"Microsoft Exchange Online"
| where isnotempty(parse_json(RawEventData)["ActorInfoString"])
| extend ActorInfoString = tostring(parse_json(RawEventData)["ActorInfoString"])
| where UncommonForUser has "CountryCode" and UncommonForUser has "UserAgent"
| where isnotempty(OAuthAppId)
| join OAuthAppInfo on OAuthAppId
| where AppOrigin == @"External"Explanation
This query is designed to detect unusual activity related to external OAuth applications in Microsoft Exchange Online. Here's a simplified breakdown of what it does:
-
Data Source: It starts by looking at events from the
CloudAppEventstable. -
Time Frame: It focuses on events that occurred within the last hour.
-
Application Filter: It specifically examines events related to "Microsoft Exchange Online".
-
Actor Information: It checks if the
ActorInfoStringfield in the event data is not empty, which contains detailed information about the actor performing the action. -
Extract Actor Info: It extracts the
ActorInfoStringfrom the raw event data for further analysis. -
Uncommon Activity: It filters for events that have unusual characteristics for the user, specifically looking for entries that include "CountryCode" and "UserAgent" in the
UncommonForUserfield. -
OAuth Application: It ensures that the event is associated with an OAuth application by checking that the
OAuthAppIdis not empty. -
Join with App Info: It joins the event data with the
OAuthAppInfotable using theOAuthAppIdto get more details about the application. -
External Origin: Finally, it filters for applications that originate externally, as indicated by the
AppOriginfield being "External".
Overall, this query is used to identify potentially suspicious or anomalous activities involving external OAuth applications in Exchange Online by analyzing recent events with specific characteristics.
Details

Steven Lim
Released: June 28, 2025
Tables
Keywords
Operators