Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. full_access_as_app Granted To Application

full_access_as_app Granted To Application

Back
Id54e22fed-0ec6-4fb2-8312-2a3809a93f63
Rulenamefull_access_as_app Granted To Application
DescriptionThis detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.

This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data

by being added to a compromised application. The application granted this permission should be reviewed to ensure that it

is absolutely necessary for the applications function.

Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access
SeverityMedium
TacticsDefenseEvasion
TechniquesT1550.001
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml
Version1.0.0
Arm template54e22fed-0ec6-4fb2-8312-2a3809a93f63.json
Deploy To Azure
AuditLogs
| where LoggedByService =~ "Core Directory"
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Consent to application"
| where TargetResources has "full_access_as_app"
| mv-expand TargetResources
| extend OAuthAppName = TargetResources.displayName
| extend ModifiedProperties = TargetResources.modifiedProperties 
| mv-apply Property = ModifiedProperties on 
  (
      where Property.displayName =~ "ConsentContext.isAdminConsent"
      | extend AdminConsent = tostring(Property.newValue)
  )
| mv-apply Property = ModifiedProperties on 
  (
      where Property.displayName =~ "ConsentAction.Permissions"
      | extend Permissions = tostring(Property.newValue)
  )
| mv-apply Property = ModifiedProperties on 
  (
      where Property.displayName =~ "TargetId.ServicePrincipalNames"
      | extend AppId = tostring(Property.newValue)
  )
| mv-expand AdditionalDetails
| extend GrantUserAgent = tostring(iff(AdditionalDetails.key =~ "User-Agent", AdditionalDetails.value, ""))
| parse Permissions with * "ConsentType: " GrantConsentType ", Scope: " GrantScope1 "," *
| where GrantScope1 =~ "full_access_as_app"
| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))
| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, GrantIpAddress, GrantInitiatedBy, GrantUserAgent, GrantScope1, GrantConsentType
| extend Name = split(GrantInitiatedBy, "@")[0], UPNSuffix = split(GrantInitiatedBy, "@")[1]

triggerThreshold: 0
queryFrequency: 1h
relevantTechniques:
- T1550.001
tactics:
- DefenseEvasion
id: 54e22fed-0ec6-4fb2-8312-2a3809a93f63
alertDetailsOverride:
  alertDescriptionFormat: |
    This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.
    This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data 
    by being added to a compromised application. The application granted this permission should be reviewed to ensure that it 
    is absolutely necessary for the applications function.
    In this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}
    Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access    
  alertDisplayNameFormat: User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}
kind: Scheduled
triggerOperator: gt
severity: Medium
customDetails:
  OAuthApplication: OAuthAppName
  UserAgent: GrantUserAgent
  OAuthAppId: AppId
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
query: |
  AuditLogs
  | where LoggedByService =~ "Core Directory"
  | where Category =~ "ApplicationManagement"
  | where OperationName =~ "Consent to application"
  | where TargetResources has "full_access_as_app"
  | mv-expand TargetResources
  | extend OAuthAppName = TargetResources.displayName
  | extend ModifiedProperties = TargetResources.modifiedProperties 
  | mv-apply Property = ModifiedProperties on 
    (
        where Property.displayName =~ "ConsentContext.isAdminConsent"
        | extend AdminConsent = tostring(Property.newValue)
    )
  | mv-apply Property = ModifiedProperties on 
    (
        where Property.displayName =~ "ConsentAction.Permissions"
        | extend Permissions = tostring(Property.newValue)
    )
  | mv-apply Property = ModifiedProperties on 
    (
        where Property.displayName =~ "TargetId.ServicePrincipalNames"
        | extend AppId = tostring(Property.newValue)
    )
  | mv-expand AdditionalDetails
  | extend GrantUserAgent = tostring(iff(AdditionalDetails.key =~ "User-Agent", AdditionalDetails.value, ""))
  | parse Permissions with * "ConsentType: " GrantConsentType ", Scope: " GrantScope1 "," *
  | where GrantScope1 =~ "full_access_as_app"
  | extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
  | extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))
  | project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, GrantIpAddress, GrantInitiatedBy, GrantUserAgent, GrantScope1, GrantConsentType
  | extend Name = split(GrantInitiatedBy, "@")[0], UPNSuffix = split(GrantInitiatedBy, "@")[1]  
entityMappings:
- fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: GrantIpAddress
    identifier: Address
  entityType: IP
version: 1.0.0
queryPeriod: 1h
name: full_access_as_app Granted To Application
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml
status: Available
description: |
  'This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.
  This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data 
  by being added to a compromised application. The application granted this permission should be reviewed to ensure that it 
  is absolutely necessary for the applications function.
  Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access'  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54e22fed-0ec6-4fb2-8312-2a3809a93f63')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54e22fed-0ec6-4fb2-8312-2a3809a93f63')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "full_access_as_app Granted To Application",
        "description": "'This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"full_access_as_app\"\n| mv-expand TargetResources\n| extend OAuthAppName = TargetResources.displayName\n| extend ModifiedProperties = TargetResources.modifiedProperties \n| mv-apply Property = ModifiedProperties on \n  (\n      where Property.displayName =~ \"ConsentContext.isAdminConsent\"\n      | extend AdminConsent = tostring(Property.newValue)\n  )\n| mv-apply Property = ModifiedProperties on \n  (\n      where Property.displayName =~ \"ConsentAction.Permissions\"\n      | extend Permissions = tostring(Property.newValue)\n  )\n| mv-apply Property = ModifiedProperties on \n  (\n      where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n      | extend AppId = tostring(Property.newValue)\n  )\n| mv-expand AdditionalDetails\n| extend GrantUserAgent = tostring(iff(AdditionalDetails.key =~ \"User-Agent\", AdditionalDetails.value, \"\"))\n| parse Permissions with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \",\" *\n| where GrantScope1 =~ \"full_access_as_app\"\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, GrantIpAddress, GrantInitiatedBy, GrantUserAgent, GrantScope1, GrantConsentType\n| extend Name = split(GrantInitiatedBy, \"@\")[0], UPNSuffix = split(GrantInitiatedBy, \"@\")[1]\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1550.001"
        ],
        "alertRuleTemplateName": "54e22fed-0ec6-4fb2-8312-2a3809a93f63",
        "alertDetailsOverride": {
          "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n",
          "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}"
        },
        "customDetails": {
          "OAuthApplication": "OAuthAppName",
          "OAuthAppId": "AppId",
          "UserAgent": "GrantUserAgent"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "GrantIpAddress",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml",
        "status": "Available"
      }
    }
  ]
}