OAuth App confusion

%3CLINGO-SUB%20id%3D%22lingo-sub-2488291%22%20slang%3D%22en-US%22%3EOAuth%20App%20confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2488291%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20colleague%20added%20an%20app%2C%20and%20we%20got%20the%20following%20alert%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20user%20xxx%20(xxx%40ourtenant.com)%20performed%20an%20unusual%20addition%20of%20credentials%20to%20Prisma%20Cloud%20App%20gctvc.%20This%20usage%20pattern%20may%20indicate%20that%20an%20attacker%20has%20compromised%20the%20app%2C%20and%20is%20using%20it%20for%20phishing%2C%20exfiltration%2C%20or%20lateral%20movement.%20The%20user%20added%20a%20credentials%20of%20type%20Password%2C%20where%20an%20application%20is%20using%20a%20password%20to%20authenticate.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWhen%20I%20look%20at%20the%20Oauth%20apps%20page%20in%20MCAS%2C%20i%20don't%20see%20this%20app%2C%20but%20when%20I%20look%20in%20AAD%2C%20I%20do.%20Can%20someone%20help%20me%20understand%20what%20is%20going%20on%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2488291%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2488335%22%20slang%3D%22en-US%22%3ERe%3A%20OAuth%20App%20confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2488335%22%20slang%3D%22en-US%22%3EMCAS%20only%20lists%20apps%20that%20use%20Delegate%20permissions%2C%20that%20might%20explain%20it.%3C%2FLINGO-BODY%3E
Respected Contributor

My colleague added an app, and we got the following alert, 

The user xxx (xxx@ourtenant.com) performed an unusual addition of credentials to Prisma Cloud App gctvc. This usage pattern may indicate that an attacker has compromised the app, and is using it for phishing, exfiltration, or lateral movement. The user added a credentials of type Password, where an application is using a password to authenticate.

When I look at the Oauth apps page in MCAS, i don't see this app, but when I look in AAD, I do. Can someone help me understand what is going on?

 

3 Replies
MCAS only lists apps that use Delegate permissions, that might explain it.
Thanks, that is an interesting idea, but when I look at the permissions page for the app in AAD, nothing is listed for Admin or User consent. where else should I be looking?
No permissions at all? That's very strange...