Jun 07 2021 12:26 AM
Does anybody know how to identify alerts in loganalytics that are triggered under the poliy "Unusual Addition of Credentials to an Oauth App"? I suspect it falls under ALERT_SUSPICIOUS_ACTIVITY. But how to identify this specfic alert?
Jun 17 2021 03:15 AM
Hello @yyydb,
With this simple query, you can find alerts related to "Unusual addition of credentials to an OAuth app". The policy id for this alert type is '5fe14f5b65a6e4ef21f569e8' which can also be used in the query if needed.
SecurityAlert
| where ProviderName contains "MCAS"
| where AlertType == "MCAS_ALERT_ANUBIS_DETECTION_ADD_SECRET_TO_APP"
| where AlertName contains "Unusual addition of credentials to an OAuth app"
Was this what you were looking for?