Does anybody know how to identify alerts in loganalytics that are triggered under the poliy "Unusual Addition of Credentials to an Oauth App"? I suspect it falls under ALERT_SUSPICIOUS_ACTIVITY. But how to identify this specfic alert?
With this simple query, you can find alerts related to "Unusual addition of credentials to an OAuth app". The policy id for this alert type is '5fe14f5b65a6e4ef21f569e8' which can also be used in the query if needed.
SecurityAlert | where ProviderName contains "MCAS" | where AlertType == "MCAS_ALERT_ANUBIS_DETECTION_ADD_SECRET_TO_APP" | where AlertName contains "Unusual addition of credentials to an OAuth app"