MCAS alert ID for Unusual Addition of Credentials to Oauth App

%3CLINGO-SUB%20id%3D%22lingo-sub-2421034%22%20slang%3D%22en-US%22%3EMCAS%20alert%20ID%20for%20Unusual%20Addition%20of%20Credentials%20to%20Oauth%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2421034%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anybody%20know%20how%20to%20identify%20alerts%20in%20loganalytics%20that%20are%20triggered%20under%20the%20poliy%20%22Unusual%20Addition%20of%20Credentials%20to%20an%20Oauth%20App%22%3F%20I%20suspect%20it%20falls%20under%20ALERT_SUSPICIOUS_ACTIVITY.%20But%20how%20to%20identify%20this%20specfic%20alert%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2421034%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2457423%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20alert%20ID%20for%20Unusual%20Addition%20of%20Credentials%20to%20Oauth%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2457423%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1072552%22%20target%3D%22_blank%22%3E%40yyydb%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20this%20simple%20query%2C%20you%20can%20find%20alerts%20related%20to%26nbsp%3B%22Unusual%20addition%20of%20credentials%20to%20an%20OAuth%20app%22.%20The%20policy%20id%20for%20this%20alert%20type%20is%20'5fe14f5b65a6e4ef21f569e8'%20which%20can%20also%20be%20used%20in%20the%20query%20if%20needed.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurityAlert%3CBR%20%2F%3E%7C%20where%20ProviderName%20contains%20%22MCAS%22%3CBR%20%2F%3E%7C%20where%20AlertType%20%3D%3D%20%22MCAS_ALERT_ANUBIS_DETECTION_ADD_SECRET_TO_APP%22%3CBR%20%2F%3E%7C%20where%20AlertName%20contains%20%22Unusual%20addition%20of%20credentials%20to%20an%20OAuth%20app%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWas%20this%20what%20you%20were%20looking%20for%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Does anybody know how to identify alerts in loganalytics that are triggered under the poliy "Unusual Addition of Credentials to an Oauth App"? I suspect it falls under ALERT_SUSPICIOUS_ACTIVITY. But how to identify this specfic alert?

 

1 Reply

Hello @yyydb,

 

With this simple query, you can find alerts related to "Unusual addition of credentials to an OAuth app". The policy id for this alert type is '5fe14f5b65a6e4ef21f569e8' which can also be used in the query if needed. 

 

SecurityAlert
| where ProviderName contains "MCAS"
| where AlertType == "MCAS_ALERT_ANUBIS_DETECTION_ADD_SECRET_TO_APP"
| where AlertName contains "Unusual addition of credentials to an OAuth app"

 

Was this what you were looking for?

www.000webhost.com