Historical data applications access to potentially sensitive data

%3CLINGO-SUB%20id%3D%22lingo-sub-1763624%22%20slang%3D%22en-US%22%3EHistorical%20data%20applications%20access%20to%20potentially%20sensitive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1763624%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20found%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FHunting%2520Queries%2FAuditLogs%2FConsentToApplicationDiscovery.yaml%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20hunting%20query%3C%2FA%3E%26nbsp%3Bfor%20finding%20occurrences%20of%20users%20granting%20access%20to%20applications%2C%20which%20is%20a%20nice%20query%20considering%20this%20is%20become%20a%20quite%20popular%20way%20of%20attackers%20to%20get%20illicit%20access%20to%20potentially%20sensitive%20information%20trough%20the%20mail%20application%20and%20such.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fdetect-and-remediate-illicit-consent-grants%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EBetter%20explanation%20of%20the%20attack.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I'm%20curious%20if%20anyone%20has%20an%20idea%20where%20to%20look%20for%20historical%20data%20of%20applications%20that%20have%20been%20granted%20access%2C%20accessing%20other%20applications%20such%20as%20email%20etc.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1764397%22%20slang%3D%22en-US%22%3ERe%3A%20Historical%20data%20applications%20access%20to%20potentially%20sensitive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1764397%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F819982%22%20target%3D%22_blank%22%3E%40stianhoydal%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20you%20looking%20for%20data%20here%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EAuditLogs%0A%7C%20where%20Category%20%3D%3D%22ApplicationManagement%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20lots%20of%20%3CEM%3Eapplication%3C%2FEM%3E%20specific%20operations%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%0AAuditLogs%0A%7C%20where%20Category%20%3D%3D%22ApplicationManagement%22%0A%7C%20extend%20displayName_%20%3D%20tostring(TargetResources%5B0%5D.displayName)%0A%7C%20where%20OperationName%20has%20%22application%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExamples%3A%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%20cellspacing%3D%221%22%20cellpadding%3D%225%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTH%3EOperationName%3C%2FTH%3E%0A%3CTH%3E%26nbsp%3B%3C%2FTH%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EAdd%20application%3C%2FTD%3E%0A%3CTD%3E%26nbsp%3B%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EAdd%20owner%20to%20application%3C%2FTD%3E%0A%3CTD%3E%26nbsp%3B%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EUpdate%20application%20%E2%80%93%20Certificates%20and%20secrets%20management%3C%2FTD%3E%0A%3CTD%3E%26nbsp%3B%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EUpdate%20application%3C%2FTD%3E%0A%3CTD%3E%26nbsp%3B%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EConsent%20to%20application%3C%2FTD%3E%0A%3CTD%3E%26nbsp%3B%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EDelete%20application%3C%2FTD%3E%0A%3CTD%3E%26nbsp%3B%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1770147%22%20slang%3D%22en-US%22%3ERe%3A%20Historical%20data%20applications%20access%20to%20potentially%20sensitive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1770147%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20this%20is%20a%20great%20way%20of%20finding%20the%20occurrences%20of%20apps%20being%20granted%20permissions%2C%20but%20i%20am%20curious%20how%20i%20find%20information%20about%20what%20potentially%20malicious%20apps%20are%20doing%20with%20this%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESay%20i%20find%20a%20user%20has%20given%20permissions%20to%20an%20application%20named%20%22notavirus.exe%22.%20How%20do%20i%20find%20logs%20on%20what%20this%20application%20does%20with%20its%20permissions%3F%20For%20example%20a%20malicious%20application%20might%20use%20illicitly%20gained%20permissions%20to%20view%20users%20emails%20and%20such.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello everyone.

 

I found this hunting query for finding occurrences of users granting access to applications, which is a nice query considering this is become a quite popular way of attackers to get illicit access to potentially sensitive information trough the mail application and such. Better explanation of the attack.

 

Now I'm curious if anyone has an idea where to look for historical data of applications that have been granted access, accessing other applications such as email etc. 

2 Replies
Highlighted

@stianhoydal 

 

Are you looking for data here:

AuditLogs
| where Category =="ApplicationManagement"

 

There are lots of application specific operations

 


AuditLogs
| where Category =="ApplicationManagement"
| extend displayName_ = tostring(TargetResources[0].displayName)
| where OperationName has "application"

 

Examples:

OperationName  
Add application  
Add owner to application  
Update application – Certificates and secrets management  
Update application  
Consent to application  
Delete application  

 

 

Highlighted

@Clive Watson 

 

Yes this is a great way of finding the occurrences of apps being granted permissions, but i am curious how i find information about what potentially malicious apps are doing with this information.

 

Say i find a user has given permissions to an application named "notavirus.exe". How do i find logs on what this application does with its permissions? For example a malicious application might use illicitly gained permissions to view users emails and such.