cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth App confusion

Dean Gross
Silver Contributor

‎Jun 26 2021 09:38 AM

‎Jun 26 2021 09:38 AM

OAuth App confusion

My colleague added an app, and we got the following alert, 

The user xxx (xxx@ourtenant.com) performed an unusual addition of credentials to Prisma Cloud App gctvc. This usage pattern may indicate that an attacker has compromised the app, and is using it for phishing, exfiltration, or lateral movement. The user added a credentials of type Password, where an application is using a password to authenticate.

When I look at the Oauth apps page in MCAS, i don't see this app, but when I look in AAD, I do. Can someone help me understand what is going on?

 

Labels:
1,702 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Jun 26 2021 09:42 AM

‎Jun 26 2021 09:42 AM

Re: OAuth App confusion

MCAS only lists apps that use Delegate permissions, that might explain it.
0 Likes
Reply
Dean Gross

‎Jun 26 2021 11:37 AM

‎Jun 26 2021 11:37 AM

Re: OAuth App confusion

Thanks, that is an interesting idea, but when I look at the permissions page for the app in AAD, nothing is listed for Admin or User consent. where else should I be looking?
0 Likes
Reply
Vasil Michev

‎Jun 27 2021 10:17 AM

‎Jun 27 2021 10:17 AM

Re: OAuth App confusion

No permissions at all? That's very strange...
0 Likes
Reply