cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community
Find out more

MCAS alert ID for Unusual Addition of Credentials to Oauth App

yyydb
Occasional Visitor

‎Jun 07 2021 12:26 AM

‎Jun 07 2021 12:26 AM

MCAS alert ID for Unusual Addition of Credentials to Oauth App

Does anybody know how to identify alerts in loganalytics that are triggered under the poliy "Unusual Addition of Credentials to an Oauth App"? I suspect it falls under ALERT_SUSPICIOUS_ACTIVITY. But how to identify this specfic alert?

 

Labels:
1,433 Views
1 Like
1 Reply
Reply
1 Reply
Sami Lamppu

‎Jun 17 2021 03:15 AM

‎Jun 17 2021 03:15 AM

Re: MCAS alert ID for Unusual Addition of Credentials to Oauth App

Hello @yyydb,

 

With this simple query, you can find alerts related to "Unusual addition of credentials to an OAuth app". The policy id for this alert type is '5fe14f5b65a6e4ef21f569e8' which can also be used in the query if needed. 

 

SecurityAlert
| where ProviderName contains "MCAS"
| where AlertType == "MCAS_ALERT_ANUBIS_DETECTION_ADD_SECRET_TO_APP"
| where AlertName contains "Unusual addition of credentials to an OAuth app"

 

Was this what you were looking for?

0 Likes
Reply