Forum Discussion
Historical data applications access to potentially sensitive data
Hello everyone.
I found https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/ConsentToApplicationDiscovery.yaml for finding occurrences of users granting access to applications, which is a nice query considering this is become a quite popular way of attackers to get illicit access to potentially sensitive information trough the mail application and such. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide
Now I'm curious if anyone has an idea where to look for historical data of applications that have been granted access, accessing other applications such as email etc.
2 Replies
Are you looking for data here:
AuditLogs | where Category =="ApplicationManagement"There are lots of application specific operations
AuditLogs | where Category =="ApplicationManagement" | extend displayName_ = tostring(TargetResources[0].displayName) | where OperationName has "application"Examples:
OperationName Add application Add owner to application Update application – Certificates and secrets management Update application Consent to application Delete application Yes this is a great way of finding the occurrences of apps being granted permissions, but i am curious how i find information about what potentially malicious apps are doing with this information.
Say i find a user has given permissions to an application named "notavirus.exe". How do i find logs on what this application does with its permissions? For example a malicious application might use illicitly gained permissions to view users emails and such.
