Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

MCAS alert ID for Unusual Addition of Credentials to Oauth App

Occasional Visitor

Does anybody know how to identify alerts in loganalytics that are triggered under the poliy "Unusual Addition of Credentials to an Oauth App"? I suspect it falls under ALERT_SUSPICIOUS_ACTIVITY. But how to identify this specfic alert?


1 Reply

Hello @yyydb,


With this simple query, you can find alerts related to "Unusual addition of credentials to an OAuth app". The policy id for this alert type is '5fe14f5b65a6e4ef21f569e8' which can also be used in the query if needed. 


| where ProviderName contains "MCAS"
| where AlertName contains "Unusual addition of credentials to an OAuth app"


Was this what you were looking for?