Third party integrated apps

Back


Id	BFA7EE22-B5A9-42C8-BD50-2E95885640BB
Rulename	Third party integrated apps
Description	This query searches for your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.
Severity	High
Tactics	Exfiltration
Techniques	T1020
Required data connectors	SenservaPro
Kind	Scheduled
Query frequency	6h
Query period	6h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/ThirdPartyIntegratedApps.yaml
Version	1.0.1
Arm template	BFA7EE22-B5A9-42C8-BD50-2E95885640BB.json

KQL

SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreIntegratedApps'

YAML

version: 1.0.1
relevantTechniques:
- T1020
triggerThreshold: 0
name: Third party integrated apps
id: BFA7EE22-B5A9-42C8-BD50-2E95885640BB
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/ThirdPartyIntegratedApps.yaml
kind: Scheduled
severity: High
status: Available
description: |
  'This query searches for your services by regulating the access of third-party integrated apps. 
   Only allow access to necessary apps that support robust security controls. 
   Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy.
   Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.'  
queryFrequency: 6h
requiredDataConnectors:
- dataTypes:
  - SenservaPro_CL
  connectorId: SenservaPro
queryPeriod: 6h
query: |
  SenservaPro_CL
  | where ControlName_s == 'AzureSecureScoreIntegratedApps'  
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: ControlName_s
  - identifier: AadTenantId
    columnName: TenantId
  - identifier: DisplayName
    columnName: TenantDisplayName_s
  entityType: Account
- fieldMappings:
  - identifier: DistinguishedName
    columnName: Group_s
  entityType: SecurityGroup
- fieldMappings:
  - identifier: ResourceId
    columnName: SourceSystem
  entityType: AzureResource
triggerOperator: gt
tactics:
- Exfiltration

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/BFA7EE22-B5A9-42C8-BD50-2E95885640BB')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/BFA7EE22-B5A9-42C8-BD50-2E95885640BB')]",
      "properties": {
        "alertRuleTemplateName": "BFA7EE22-B5A9-42C8-BD50-2E95885640BB",
        "customDetails": null,
        "description": "'This query searches for your services by regulating the access of third-party integrated apps. \n Only allow access to necessary apps that support robust security controls. \n Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy.\n Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.'\n",
        "displayName": "Third party integrated apps",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ControlName_s",
                "identifier": "Name"
              },
              {
                "columnName": "TenantId",
                "identifier": "AadTenantId"
              },
              {
                "columnName": "TenantDisplayName_s",
                "identifier": "DisplayName"
              }
            ]
          },
          {
            "entityType": "SecurityGroup",
            "fieldMappings": [
              {
                "columnName": "Group_s",
                "identifier": "DistinguishedName"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "SourceSystem",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/ThirdPartyIntegratedApps.yaml",
        "query": "SenservaPro_CL\n| where ControlName_s == 'AzureSecureScoreIntegratedApps'\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1020"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}