full_access_as_app Granted To Application
| Id | 54e22fed-0ec6-4fb2-8312-2a3809a93f63 |
| Rulename | full_access_as_app Granted To Application |
| Description | This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent. This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data by being added to a compromised application. The application granted this permission should be reviewed to ensure that it is absolutely necessary for the applications function. Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1550.001 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml |
| Version | 1.0.2 |
| Arm template | 54e22fed-0ec6-4fb2-8312-2a3809a93f63.json |
AuditLogs
| where LoggedByService =~ "Core Directory"
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Consent to application"
| where TargetResources has "full_access_as_app"
| mv-expand TargetResources
| extend OAuthAppName = TargetResources.displayName
| extend ModifiedProperties = TargetResources.modifiedProperties
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "ConsentContext.isAdminConsent"
| extend AdminConsent = tostring(Property.newValue)
)
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "ConsentAction.Permissions"
| extend Permissions = tostring(Property.newValue)
)
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "TargetId.ServicePrincipalNames"
| extend AppId = tostring(Property.newValue)
)
| mv-apply Property = AdditionalDetails on
(
where Property.key =~ "User-Agent"
| extend InitiatingUserAgent = replace('"', '', tostring(Property.value))
)
| project-away Property
| parse Permissions with * "ConsentType: " GrantConsentType ", Scope: " GrantScope1 "," *
| where GrantScope1 =~ "full_access_as_app"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, GrantScope1, GrantConsentType
| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName))
| extend Name = split(InitiatingUserPrincipalName, "@")[0], UPNSuffix = split(InitiatingUserPrincipalName, "@")[1]
customDetails:
OAuthAppId: AppId
OAuthApplication: OAuthAppName
UserAgent: InitiatingUserAgent
status: Available
id: 54e22fed-0ec6-4fb2-8312-2a3809a93f63
query: |
AuditLogs
| where LoggedByService =~ "Core Directory"
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Consent to application"
| where TargetResources has "full_access_as_app"
| mv-expand TargetResources
| extend OAuthAppName = TargetResources.displayName
| extend ModifiedProperties = TargetResources.modifiedProperties
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "ConsentContext.isAdminConsent"
| extend AdminConsent = tostring(Property.newValue)
)
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "ConsentAction.Permissions"
| extend Permissions = tostring(Property.newValue)
)
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "TargetId.ServicePrincipalNames"
| extend AppId = tostring(Property.newValue)
)
| mv-apply Property = AdditionalDetails on
(
where Property.key =~ "User-Agent"
| extend InitiatingUserAgent = replace('"', '', tostring(Property.value))
)
| project-away Property
| parse Permissions with * "ConsentType: " GrantConsentType ", Scope: " GrantScope1 "," *
| where GrantScope1 =~ "full_access_as_app"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, GrantScope1, GrantConsentType
| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName))
| extend Name = split(InitiatingUserPrincipalName, "@")[0], UPNSuffix = split(InitiatingUserPrincipalName, "@")[1]
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml
description: |
'This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.
This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data by being added to a compromised application. The application granted this permission should be reviewed to ensure that it is absolutely necessary for the applications function.
Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access'
name: full_access_as_app Granted To Application
relevantTechniques:
- T1550.001
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingUserPrincipalName
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: InitiatingAadUserId
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: InitiatingAppServicePrincipalId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: InitiatingIpAddress
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
alertDetailsOverride:
alertDescriptionFormat: |
This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.
This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data
by being added to a compromised application. The application granted this permission should be reviewed to ensure that it
is absolutely necessary for the applications function.
In this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{InitiatingIpAddress}}
Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access
alertDisplayNameFormat: User or App {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.2
kind: Scheduled
tactics:
- DefenseEvasion
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54e22fed-0ec6-4fb2-8312-2a3809a93f63')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54e22fed-0ec6-4fb2-8312-2a3809a93f63')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{InitiatingIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n",
"alertDisplayNameFormat": "User or App {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}"
},
"alertRuleTemplateName": "54e22fed-0ec6-4fb2-8312-2a3809a93f63",
"customDetails": {
"OAuthAppId": "AppId",
"OAuthApplication": "OAuthAppName",
"UserAgent": "InitiatingUserAgent"
},
"description": "'This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data by being added to a compromised application. The application granted this permission should be reviewed to ensure that it is absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access'\n",
"displayName": "full_access_as_app Granted To Application",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAppServicePrincipalId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIpAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml",
"query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"full_access_as_app\"\n| mv-expand TargetResources\n| extend OAuthAppName = TargetResources.displayName\n| extend ModifiedProperties = TargetResources.modifiedProperties \n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentContext.isAdminConsent\"\n | extend AdminConsent = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Permissions = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend AppId = tostring(Property.newValue)\n )\n| mv-apply Property = AdditionalDetails on \n (\n where Property.key =~ \"User-Agent\"\n | extend InitiatingUserAgent = replace('\"', '', tostring(Property.value))\n )\n| project-away Property\n| parse Permissions with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \",\" *\n| where GrantScope1 =~ \"full_access_as_app\"\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, GrantScope1, GrantConsentType\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName))\n| extend Name = split(InitiatingUserPrincipalName, \"@\")[0], UPNSuffix = split(InitiatingUserPrincipalName, \"@\")[1]\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1550.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1550"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}