Skip to content

New Query: OAuth2 Token Burst — Token Harvesting (Microsoft Defender for Identity) #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dweissbacher merged 1 commit into from
May 21, 2026
+55 −0
Merged

New Query: OAuth2 Token Burst — Token Harvesting (Microsoft Defender for Identity) #56

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions queries/oauth2_token_burst_token_harvesting_microsoft_defender_for_identity.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: OAuth2 Token Burst — Token Harvesting (Microsoft Defender for Identity)

# MITRE ATT&CK technique IDs
mitre_ids:
- T1528

# Description of what the query does and its purpose.
description: |
Detects a sudden surge in OAuth2 token requests or acquisitions within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate token harvesting activity, where an attacker attempts to obtain multiple access tokens to abuse authentication sessions and maintain unauthorized access.

# The author or team that created the query.
author: Kundan Kumar

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Identity

# The CrowdStrike modules required to run this query.
cs_required_modules:
- Identity

# Tags for filtering and categorization.
tags:
- Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityLogonEvents"
| Vendor.properties.LogonType = "OAuth2:Token"
| groupBy([user.name], function=[
count(as=token_requests),
count(field=Vendor.properties.DestinationDeviceName, distinct=true, as=unique_destinations),
collect(fields=[Vendor.properties.DestinationDeviceName,"Vendor.properties.AdditionalFields.ARG.CLOUD_SERVICE",Vendor.properties.Application,source.address]),
min(@timestamp, as=start_time),
max(@timestamp, as=end_time)
])
| token_requests >= 10
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 10
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([token_requests], order=desc)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
Detects a sudden surge in OAuth2 token requests or acquisitions within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate token harvesting activity, where an attacker attempts to obtain multiple access tokens to abuse authentication sessions and maintain unauthorized access.
Loading