full_access_as_app Granted To Application
| Id | 54e22fed-0ec6-4fb2-8312-2a3809a93f63 |
| Rulename | full_access_as_app Granted To Application |
| Description | This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent. This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data by being added to a compromised application. The application granted this permission should be reviewed to ensure that it is absolutely necessary for the applications function. Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1550.001 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml |
| Version | 1.0.2 |
| Arm template | 54e22fed-0ec6-4fb2-8312-2a3809a93f63.json |
AuditLogs
| where LoggedByService =~ "Core Directory"
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Consent to application"
| where TargetResources has "full_access_as_app"
| mv-expand TargetResources
| extend OAuthAppName = TargetResources.displayName
| extend ModifiedProperties = TargetResources.modifiedProperties
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "ConsentContext.isAdminConsent"
| extend AdminConsent = tostring(Property.newValue)
)
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "ConsentAction.Permissions"
| extend Permissions = tostring(Property.newValue)
)
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "TargetId.ServicePrincipalNames"
| extend AppId = tostring(Property.newValue)
)
| mv-apply Property = AdditionalDetails on
(
where Property.key =~ "User-Agent"
| extend InitiatingUserAgent = replace('"', '', tostring(Property.value))
)
| project-away Property
| parse Permissions with * "ConsentType: " GrantConsentType ", Scope: " GrantScope1 "," *
| where GrantScope1 =~ "full_access_as_app"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, GrantScope1, GrantConsentType
| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName))
| extend Name = split(InitiatingUserPrincipalName, "@")[0], UPNSuffix = split(InitiatingUserPrincipalName, "@")[1]
id: 54e22fed-0ec6-4fb2-8312-2a3809a93f63
tactics:
- DefenseEvasion
queryPeriod: 1h
triggerThreshold: 0
name: full_access_as_app Granted To Application
query: |
AuditLogs
| where LoggedByService =~ "Core Directory"
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Consent to application"
| where TargetResources has "full_access_as_app"
| mv-expand TargetResources
| extend OAuthAppName = TargetResources.displayName
| extend ModifiedProperties = TargetResources.modifiedProperties
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "ConsentContext.isAdminConsent"
| extend AdminConsent = tostring(Property.newValue)
)
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "ConsentAction.Permissions"
| extend Permissions = tostring(Property.newValue)
)
| mv-apply Property = ModifiedProperties on
(
where Property.displayName =~ "TargetId.ServicePrincipalNames"
| extend AppId = tostring(Property.newValue)
)
| mv-apply Property = AdditionalDetails on
(
where Property.key =~ "User-Agent"
| extend InitiatingUserAgent = replace('"', '', tostring(Property.value))
)
| project-away Property
| parse Permissions with * "ConsentType: " GrantConsentType ", Scope: " GrantScope1 "," *
| where GrantScope1 =~ "full_access_as_app"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, GrantScope1, GrantConsentType
| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName))
| extend Name = split(InitiatingUserPrincipalName, "@")[0], UPNSuffix = split(InitiatingUserPrincipalName, "@")[1]
severity: Medium
customDetails:
OAuthApplication: OAuthAppName
UserAgent: InitiatingUserAgent
OAuthAppId: AppId
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1550.001
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
version: 1.0.2
description: |
'This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.
This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data by being added to a compromised application. The application granted this permission should be reviewed to ensure that it is absolutely necessary for the applications function.
Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access'
status: Available
alertDetailsOverride:
alertDisplayNameFormat: User or App {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}
alertDescriptionFormat: |
This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.
This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data
by being added to a compromised application. The application granted this permission should be reviewed to ensure that it
is absolutely necessary for the applications function.
In this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{InitiatingIpAddress}}
Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access
entityMappings:
- fieldMappings:
- columnName: InitiatingUserPrincipalName
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: InitiatingAadUserId
identifier: AadUserId
entityType: Account
- fieldMappings:
- columnName: InitiatingAppServicePrincipalId
identifier: AadUserId
entityType: Account
- fieldMappings:
- columnName: InitiatingIpAddress
identifier: Address
entityType: IP
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54e22fed-0ec6-4fb2-8312-2a3809a93f63')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54e22fed-0ec6-4fb2-8312-2a3809a93f63')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{InitiatingIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n",
"alertDisplayNameFormat": "User or App {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}"
},
"alertRuleTemplateName": "54e22fed-0ec6-4fb2-8312-2a3809a93f63",
"customDetails": {
"OAuthAppId": "AppId",
"OAuthApplication": "OAuthAppName",
"UserAgent": "InitiatingUserAgent"
},
"description": "'This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data by being added to a compromised application. The application granted this permission should be reviewed to ensure that it is absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access'\n",
"displayName": "full_access_as_app Granted To Application",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAppServicePrincipalId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIpAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml",
"query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"full_access_as_app\"\n| mv-expand TargetResources\n| extend OAuthAppName = TargetResources.displayName\n| extend ModifiedProperties = TargetResources.modifiedProperties \n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentContext.isAdminConsent\"\n | extend AdminConsent = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Permissions = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend AppId = tostring(Property.newValue)\n )\n| mv-apply Property = AdditionalDetails on \n (\n where Property.key =~ \"User-Agent\"\n | extend InitiatingUserAgent = replace('\"', '', tostring(Property.value))\n )\n| project-away Property\n| parse Permissions with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \",\" *\n| where GrantScope1 =~ \"full_access_as_app\"\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, GrantScope1, GrantConsentType\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName))\n| extend Name = split(InitiatingUserPrincipalName, \"@\")[0], UPNSuffix = split(InitiatingUserPrincipalName, \"@\")[1]\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1550.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1550"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}