Third party integrated apps
Id | BFA7EE22-B5A9-42C8-BD50-2E95885640BB |
Rulename | Third party integrated apps |
Description | This query searches for your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
Severity | High |
Tactics | Exfiltration |
Techniques | T1020 |
Required data connectors | SenservaPro |
Kind | Scheduled |
Query frequency | 6h |
Query period | 6h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/ThirdPartyIntegratedApps.yaml |
Version | 1.0.1 |
Arm template | BFA7EE22-B5A9-42C8-BD50-2E95885640BB.json |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreIntegratedApps'
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/ThirdPartyIntegratedApps.yaml
queryPeriod: 6h
requiredDataConnectors:
- dataTypes:
- SenservaPro_CL
connectorId: SenservaPro
relevantTechniques:
- T1020
queryFrequency: 6h
entityMappings:
- entityType: Account
fieldMappings:
- columnName: ControlName_s
identifier: Name
- columnName: TenantId
identifier: AadTenantId
- columnName: TenantDisplayName_s
identifier: DisplayName
- entityType: SecurityGroup
fieldMappings:
- columnName: Group_s
identifier: DistinguishedName
- entityType: AzureResource
fieldMappings:
- columnName: SourceSystem
identifier: ResourceId
kind: Scheduled
query: |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreIntegratedApps'
id: BFA7EE22-B5A9-42C8-BD50-2E95885640BB
description: |
'This query searches for your services by regulating the access of third-party integrated apps.
Only allow access to necessary apps that support robust security controls.
Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy.
Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.'
name: Third party integrated apps
tactics:
- Exfiltration
version: 1.0.1
severity: High
status: Available
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/BFA7EE22-B5A9-42C8-BD50-2E95885640BB')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/BFA7EE22-B5A9-42C8-BD50-2E95885640BB')]",
"properties": {
"alertRuleTemplateName": "BFA7EE22-B5A9-42C8-BD50-2E95885640BB",
"customDetails": null,
"description": "'This query searches for your services by regulating the access of third-party integrated apps. \n Only allow access to necessary apps that support robust security controls. \n Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy.\n Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.'\n",
"displayName": "Third party integrated apps",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ControlName_s",
"identifier": "Name"
},
{
"columnName": "TenantId",
"identifier": "AadTenantId"
},
{
"columnName": "TenantDisplayName_s",
"identifier": "DisplayName"
}
]
},
{
"entityType": "SecurityGroup",
"fieldMappings": [
{
"columnName": "Group_s",
"identifier": "DistinguishedName"
}
]
},
{
"entityType": "AzureResource",
"fieldMappings": [
{
"columnName": "SourceSystem",
"identifier": "ResourceId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/ThirdPartyIntegratedApps.yaml",
"query": "SenservaPro_CL\n| where ControlName_s == 'AzureSecureScoreIntegratedApps'\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration"
],
"techniques": [
"T1020"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}