Jan 16 2020 06:33 AM
I recently reviewed a customers MCAS high severity alerts and noted a number of alerts with the subject - BUL-OauthAppPermissions-MicrosoftAccounts
I cannot find any information online regarding this detection and what it signifies?
I have reviewed this documentation:
This outlines 2 built in Oauth related policies but neither relate to the alerts I witnessed.
The customer in question has not created any custom policies.
I have also reviewed the release notes for MCAS and the notes for Release 154 (July 21 2019) state
OAuth app anomaly detections
We have expanded our current capability to detect suspicious OAuth apps. Four new detections are now available out-of-the-box that profile the metadata of OAuth apps authorized in your organization to identify ones that are potentially malicious.
I cant seem to find details of these, as I thought they may include the alert I am seeing.
Has anyone seen these alerts before?
Thanks
Paul
Feb 06 2020 08:55 AM
Solution
Hi PJR_CDF,
The policy BUL-OauthAppPermissions-MicrosoftAccounts is not a built-in OAuth detection policy. You can find the built-in OAuth policies by navigating to “Policies” and filtering on type “OAuth app anomaly detection policy”. In addition, setting the policy filter to show “OAuth app policy” will reveal custom policies created by administrators. Using the cogwheel to edit the policy will reveal the criteria for triggering the alert and adjustments can be made. Also, accessing the “Actions” on the policy page will allow you to disable the policy.
Feb 06 2020 08:55 AM
Solution
Hi PJR_CDF,
The policy BUL-OauthAppPermissions-MicrosoftAccounts is not a built-in OAuth detection policy. You can find the built-in OAuth policies by navigating to “Policies” and filtering on type “OAuth app anomaly detection policy”. In addition, setting the policy filter to show “OAuth app policy” will reveal custom policies created by administrators. Using the cogwheel to edit the policy will reveal the criteria for triggering the alert and adjustments can be made. Also, accessing the “Actions” on the policy page will allow you to disable the policy.