Query Details

MDA Threat detection policy for OAuth Apps with Enriched Information

MDA Threat Detection Policy For O Auth Apps With Enriched Information Workload Identity Info

Query

SecurityAlert
| where ProductName == "Microsoft Cloud App Security" or ProductComponentName == "Anubis"
| mv-expand parse_json(Entities) | where Entities.Type == "oauth-application"
| extend AppId = tostring(Entities.OAuthAppId)
| extend IpAddress = parse_json(ExtendedProperties).["IP Addresses"]
| extend RedirectUris = parse_json(tostring(Entities.RedirectURLs))
| extend AlertDisplayName = tostring(DisplayName)
| extend CommunityUse = tostring(Entities.CommunityUse)
| extend Publisher = tostring(Entities.PublisherName)
| join kind=inner (
    PrivilegedWorkloadIdentityInfo
    | project
        WorkloadIdentityName,
        WorkloadIdentityType,
        IsFirstPartyApp,
        AppId = tostring(ApplicationId),
        tostring(ServicePrincipalObjectId),
        EnterpriseAccessModelTiering,
        EntraIdRoles,
        AppRolePermissions
    )
    on AppId
| join kind=inner (
    SecurityIncident
    | mv-expand AlertIds
    | extend SystemAlertId = tostring(AlertIds)
    | summarize arg_max(TimeGenerated, *) by SystemAlertId
    | project
        SystemAlertId,
        IncidentUrl = AdditionalData.providerIncidentUrl,
        IncidentStatus = Status,
        IncidentName = IncidentNumber
    )
    on SystemAlertId

Explanation

This query is used to create an incident from a threat detection policy. It looks for events in the SecurityAlert table where the ProductName is "Microsoft Cloud App Security" or the ProductComponentName is "Anubis". It then expands the Entities column and filters for events with Type "oauth-application". It extends the AppId, IpAddress, RedirectUris, AlertDisplayName, CommunityUse, and Publisher columns. It joins the PrivilegedWorkloadIdentityInfo table on the AppId column and the SecurityIncident table on the SystemAlertId column. The query has a frequency and period of 1 hour and a trigger threshold of 0. The incident configuration is set to create incidents with grouping enabled and a lookback duration of 5 hours. The alert details override section specifies the format and properties for the alert. The entity mappings section maps columns to entity types. The suppression duration is set to 5 hours.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: December 9, 2023

Tables

SecurityAlert PrivilegedWorkloadIdentityInfo SecurityIncident

Keywords

DevicesIntuneUserOAuth AppsEnriched InformationMDA Threat detection policyCloud ApplicationSecurityAlertProductNameProductComponentNameAnubisEntitiesoauth-applicationAppIdIpAddressExtendedPropertiesRedirectUrisDisplayNameCommunityUsePublisherPrivilegedWorkloadIdentityInfoWorkloadIdentityNameWorkloadIdentityTypeIsFirstPartyAppApplicationIdServicePrincipalObjectIdEnterpriseAccessModelTieringEntraIdRolesAppRolePermissionsSecurityIncidentAlertIdsSystemAlertIdTimeGeneratedAdditionalData.providerIncidentUrlStatusIncidentNumbersuppressionEnabledcreateIncidentgroupingConfigurationenabledreopenClosedIncidentlookbackDurationmatchingMethodAllEntitiesgroupByEntitiesgroupByAlertDetailsgroupByCustomDetailseventGroupingSettingsaggregationKindAlertPerResultalertDisplayNameFormatalertDescriptionFormatalertTacticsColumnNamealertSeverityColumnNamealertDynamicPropertiesAlertLinkTechniquesProviderNameRemediationStepsConfidenceLevelConfidenceScoreExtendedLinkscustomDetailsentityMappingsCloudApplicationfieldMappingsidentifiercolumnNameNameAddressUrlsuppressionDuration.

Operators

whereormv-expandparse_jsonextendtostringjoinprojectsummarizearg_maxbyonsuppressionEnabledcreateIncidentenabledreopenClosedIncidentlookbackDurationmatchingMethodgroupByEntitiesgroupByAlertDetailsgroupByCustomDetailsaggregationKindalertDisplayNameFormatalertDescriptionFormatalertTacticsColumnNamealertSeverityColumnNamealertDynamicPropertiescustomDetailsentityMappings

Severity

Medium

Frequency: 1h

Period: 1h

Actions

GitHub