Consent to Application discovery

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This query looks at the last 14 days for "Consent to application" operation by a user/app which could potentially mean unauthorized access. Additional context is added from AuditLogs based on CorrleationId from the same account that performed the action.

Attribute Value
Type Hunting Query
Solution Standalone Content
ID b09d6e57-c48b-491d-9c2b-ab73018e6534
Tactics Persistence
Techniques T1136
Required Connectors AzureActiveDirectory
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
AuditLogs OperationName == "Consent to application"
OperationName != "Consent to application"		 ?

Associated Connectors

The following connectors provide data for this content item:

Connector Solution
AzureActiveDirectory Microsoft Entra ID

Solutions: Microsoft Entra ID

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Hunting Queries