Historical data applications access to potentially sensitive data

Question

Hello everyone.&nbsp;I found&nbsp;this hunting query&nbsp;for finding occurrences of users granting access to applications, which is a nice query considering this is become a quite popular way of attackers to get illicit access to potentially sensitive information trough the mail application and such.&nbsp;Better explanation of the attack.&nbsp;Now I'm curious if anyone has an idea where to look for historical data of applications that have been granted access, accessing other applications such as email etc.&nbsp;

clivewatson · Answer

stianhoydal&nbsp;
&nbsp;
Are you looking for data here:
AuditLogs
| where Category =="ApplicationManagement"
&nbsp;
There are lots of application specific operations
&nbsp;

AuditLogs
| where Category =="ApplicationManagement"
| extend displayName_ = tostring(TargetResources[0].displayName)
| where OperationName has "application"
&nbsp;
Examples:

OperationName
&nbsp;

Add application
&nbsp;

Add owner to application
&nbsp;

Update application – Certificates and secrets management
&nbsp;

Update application
&nbsp;

Consent to application
&nbsp;

Delete application
&nbsp;

&nbsp;
&nbsp;

stianhoydal · Answer

CliveWatson&nbsp;&nbsp;Yes this is a great way of finding the occurrences of apps being granted permissions, but i am curious how i find information about what potentially malicious apps are doing with this information.&nbsp;Say i find a user has given permissions to an application named "notavirus.exe". How do i find logs on what this application does with its permissions? For example a malicious application might use illicitly gained permissions to view users emails and such.&nbsp;

Forum Discussion

Historical data applications access to potentially sensitive data

Share

Resources

OperationName
Add application
Add owner to application
Update application – Certificates and secrets management
Update application
Consent to application
Delete application