Jun 26 2021 09:38 AM
My colleague added an app, and we got the following alert,
The user xxx (xxx@ourtenant.com) performed an unusual addition of credentials to Prisma Cloud App gctvc. This usage pattern may indicate that an attacker has compromised the app, and is using it for phishing, exfiltration, or lateral movement. The user added a credentials of type Password, where an application is using a password to authenticate.
When I look at the Oauth apps page in MCAS, i don't see this app, but when I look in AAD, I do. Can someone help me understand what is going on?
Jun 26 2021 09:42 AM
Jun 26 2021 11:37 AM