From 5e57251c2d85acdcbf0713b5a9777e5ece746319 Mon Sep 17 00:00:00 2001
From: "byteray-cql-hub-bot[bot]"
 <261226166+byteray-cql-hub-bot[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 12:09:04 +0000
Subject: [PATCH] Add query: Application Consent Grant (Microsoft Entra ID)

---
 ...ation_consent_grant_microsoft_entra_id.yml | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 queries/application_consent_grant_microsoft_entra_id.yml

diff --git a/queries/application_consent_grant_microsoft_entra_id.yml b/queries/application_consent_grant_microsoft_entra_id.yml
new file mode 100644
index 0000000..3966dcb
--- /dev/null
+++ b/queries/application_consent_grant_microsoft_entra_id.yml
@@ -0,0 +1,38 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Application Consent Grant (Microsoft Entra ID)
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1550
+
+# Description of what the query does and its purpose.
+description: |
+  Detects when a user or administrator grants consent to an application in Microsoft Entra ID, allowing it to access organizational data via delegated or application permissions. While often legitimate, this action can indicate potential abuse if a malicious application is granted excessive permissions and should be reviewed.
+
+# The author or team that created the query.
+author: Kundan Kumar
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Other
+
+# Tags for filtering and categorization.
+tags:
+  - Detection
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  #Vendor="microsoft"
+  | #event.module = azure
+  | #event.dataset = azure.entraid.audit
+  |Vendor.activityDisplayName ="Consent to application"
+  |table([source.user.name,source.ip,user_agent.original,user.full_name,Vendor.initiatedBy.user.displayName,"Vendor.targetResources[0].displayName",Vendor.initiatedBy.user.userPrincipalName])
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  Detects when a user or administrator grants consent to an application in Microsoft Entra ID, allowing it to access organizational data via delegated or application permissions. While often legitimate, this action can indicate potential abuse if a malicious application is granted excessive permissions and should be reviewed.