Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Third party integrated apps

Third party integrated apps

Back
IdBFA7EE22-B5A9-42C8-BD50-2E95885640BB
RulenameThird party integrated apps
DescriptionThis query searches for your services by regulating the access of third-party integrated apps.

Only allow access to necessary apps that support robust security controls.

Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy.

Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.
SeverityHigh
TacticsExfiltration
TechniquesT1020
Required data connectorsSenservaPro
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/ThirdPartyIntegratedApps.yaml
Version1.0.1
Arm templateBFA7EE22-B5A9-42C8-BD50-2E95885640BB.json
Deploy To Azure
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreIntegratedApps'

queryFrequency: 6h
name: Third party integrated apps
status: Available
description: |
  'This query searches for your services by regulating the access of third-party integrated apps. 
   Only allow access to necessary apps that support robust security controls. 
   Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy.
   Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.'  
query: |
  SenservaPro_CL
  | where ControlName_s == 'AzureSecureScoreIntegratedApps'  
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/ThirdPartyIntegratedApps.yaml
queryPeriod: 6h
relevantTechniques:
- T1020
id: BFA7EE22-B5A9-42C8-BD50-2E95885640BB
version: 1.0.1
triggerOperator: gt
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - SenservaPro_CL
  connectorId: SenservaPro
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: ControlName_s
  - identifier: AadTenantId
    columnName: TenantId
  - identifier: DisplayName
    columnName: TenantDisplayName_s
- entityType: SecurityGroup
  fieldMappings:
  - identifier: DistinguishedName
    columnName: Group_s
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: SourceSystem
tactics:
- Exfiltration
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/BFA7EE22-B5A9-42C8-BD50-2E95885640BB')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/BFA7EE22-B5A9-42C8-BD50-2E95885640BB')]",
      "properties": {
        "alertRuleTemplateName": "BFA7EE22-B5A9-42C8-BD50-2E95885640BB",
        "customDetails": null,
        "description": "'This query searches for your services by regulating the access of third-party integrated apps. \n Only allow access to necessary apps that support robust security controls. \n Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy.\n Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.'\n",
        "displayName": "Third party integrated apps",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ControlName_s",
                "identifier": "Name"
              },
              {
                "columnName": "TenantId",
                "identifier": "AadTenantId"
              },
              {
                "columnName": "TenantDisplayName_s",
                "identifier": "DisplayName"
              }
            ]
          },
          {
            "entityType": "SecurityGroup",
            "fieldMappings": [
              {
                "columnName": "Group_s",
                "identifier": "DistinguishedName"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "SourceSystem",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/ThirdPartyIntegratedApps.yaml",
        "query": "SenservaPro_CL\n| where ControlName_s == 'AzureSecureScoreIntegratedApps'\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1020"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}