New Query: Application Consent Grant (Microsoft Entra ID)

queries/application_consent_grant_microsoft_entra_id.yml

@@ -0,0 +1,38 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Application Consent Grant (Microsoft Entra ID)
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1550
+
+# Description of what the query does and its purpose.
+description: |
+  Detects when a user or administrator grants consent to an application in Microsoft Entra ID, allowing it to access organizational data via delegated or application permissions. While often legitimate, this action can indicate potential abuse if a malicious application is granted excessive permissions and should be reviewed.
+
+# The author or team that created the query.
+author: Kundan Kumar
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Other
+
+# Tags for filtering and categorization.
+tags:
+  - Detection
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  #Vendor="microsoft"
+  | #event.module = azure
+  | #event.dataset = azure.entraid.audit
+  |Vendor.activityDisplayName ="Consent to application"
+  |table([source.user.name,source.ip,user_agent.original,user.full_name,Vendor.initiatedBy.user.displayName,"Vendor.targetResources[0].displayName",Vendor.initiatedBy.user.userPrincipalName])
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  Detects when a user or administrator grants consent to an application in Microsoft Entra ID, allowing it to access organizational data via delegated or application permissions. While often legitimate, this action can indicate potential abuse if a malicious application is granted excessive permissions and should be reviewed.