Detects suspicious OAuth application integrations within Office 365 or Google Workspace environments, such as new app registrations, unexpected consent grants, or privilege assignments. Defenders should correlate between application creation/modification events and associated user or service principal activity to identify persistence via app integrations.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Modification (DC0066) | m365:unified | Add app role assignment grant to user: Consent to application by privileged or unexpected accounts |
| Cloud Service Modification (DC0069) | azure:audit | Consent to application: OAuth application consent granted to service principal |
| Field | Description |
|---|---|
| PrivilegedUserList | Defines which accounts are authorized to consent or register applications; deviations indicate possible adversary persistence. |
| ApplicationScopeThreshold | Defines which OAuth scopes are considered risky (e.g., Mail.ReadWrite, Files.ReadWrite.All). |
Detects anomalous SaaS application integration activity across environments such as Slack, Salesforce, or other enterprise SaaS services. Focus is on unauthorized app additions, unusual permission grants, and persistence through service principal tokens.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | saas:integration | New or modified third-party application integrations with elevated permissions |
| Application Log Content (DC0038) | saas:audit | Application added or consent granted: Integration persisting after original user disabled |
| Field | Description |
|---|---|
| AppWhitelist | Defines approved SaaS integrations for the enterprise; deviations indicate suspicious persistence. |
| ConsentDelegationPolicy | Threshold for which users can self-consent integrations; lowering this may reduce false positives. |