T1671 Cloud Application Integration Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPermissions = dynamic(["Mail.Read", "Mail.ReadWrite", "Files.Read.All", "Files.ReadWrite.All", "User.Read.All", "Directory.Read.All", "Directory.ReadWrite.All", "RoleManagement.ReadWrite.Directory", "Application.ReadWrite.All", "full_access_as_app"]);
let LookbackPeriod = 30d;
AuditLogs
| where TimeGenerated > ago(LookbackPeriod)
| where OperationName in (
    "Consent to application",
    "Add application",
    "Add service principal",
    "Add OAuth2PermissionGrant",
    "Add delegated permission grant",
    "Update application",
    "Add app role assignment to service principal",
    "Add app role assignment grant to user"
  )
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend InitiatedByIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAppName = tostring(TargetResources[0].displayName)
| extend TargetAppId = tostring(TargetResources[0].id)
| extend TargetAppType = tostring(TargetResources[0].type)
| extend ModifiedProperties = TargetResources[0].modifiedProperties
| mv-expand ModifiedProperties
| extend PropName = tostring(ModifiedProperties.displayName)
| extend PropNewValue = tostring(ModifiedProperties.newValue)
| where PropName in ("ConsentType", "Permissions", "DelegatedPermissionGrant.Scope", "AppRoles") or OperationName in ("Add application", "Add service principal")
| extend IsAdminConsent = iff(PropName == "ConsentType" and PropNewValue has "AllPrincipals", true, false)
| extend HasSuspiciousPermission = iff(PropNewValue has_any (SuspiciousPermissions), true, false)
| where IsAdminConsent == true or HasSuspiciousPermission == true or OperationName in ("Add application", "Add service principal")
| summarize
    EventCount = count(),
    Operations = make_set(OperationName),
    GrantedPermissions = make_set(PropNewValue),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
  by InitiatedByUser, InitiatedByApp, InitiatedByIPAddress, TargetAppName, TargetAppId, IsAdminConsent, HasSuspiciousPermission
| extend RiskScore = case(
    IsAdminConsent == true and HasSuspiciousPermission == true, "Critical",
    IsAdminConsent == true, "High",
    HasSuspiciousPermission == true, "High",
    "Medium"
  )
| project FirstSeen, LastSeen, InitiatedByUser, InitiatedByIPAddress, TargetAppName, TargetAppId, Operations, GrantedPermissions, IsAdminConsent, HasSuspiciousPermission, RiskScore, EventCount
| order by FirstSeen desc

high severity high confidence

Data Sources

Microsoft Entra ID Microsoft Sentinel Azure AD Audit Logs

Required Tables

AuditLogs

False Positives

Legitimate IT administrators deploying enterprise applications that require admin consent for business-critical permissions
Productivity application onboarding during organizational rollouts (e.g., deploying a new CRM, ITSM, or HR integration)
Third-party security vendors requiring Mail.Read or Directory.Read.All for legitimate CASB, DLP, or threat protection services
Developers registering applications in development tenants or sandbox environments for testing purposes
Microsoft-published first-party applications being re-consented after permission scope changes in product updates

Splunk

spl

index=* (sourcetype="o365:management:activity" OR sourcetype="azure:aad:audit")
| search Operation IN (
    "Consent to application",
    "Add application.",
    "Add service principal.",
    "Add OAuth2PermissionGrant.",
    "Add delegated permission grant.",
    "Update application.",
    "Add app role assignment to service principal.",
    "Add app role assignment grant to user."
  )
| eval actor = coalesce(UserId, 'Actor{}.ID', ClientIP)
| eval target_app = coalesce(ObjectId, 'Target{0}.ID')
| eval modified_props = 'ModifiedProperties{}'
| eval permissions_raw = mvjoin(modified_props, "|")
| eval is_admin_consent = if(match(permissions_raw, "AllPrincipals"), "true", "false")
| eval high_priv_perms = if(
    match(permissions_raw, "Mail\.Read|Mail\.ReadWrite|Files\.Read\.All|Files\.ReadWrite\.All|Directory\.ReadWrite\.All|RoleManagement\.ReadWrite|Application\.ReadWrite\.All|full_access_as_app|User\.Read\.All"),
    "true",
    "false"
  )
| where is_admin_consent="true" OR high_priv_perms="true" OR Operation IN ("Add application.", "Add service principal.")
| eval risk_score = case(
    is_admin_consent="true" AND high_priv_perms="true", "Critical",
    is_admin_consent="true", "High",
    high_priv_perms="true", "High",
    true(), "Medium"
  )
| stats
    count AS event_count,
    values(Operation) AS operations,
    values(permissions_raw) AS granted_permissions,
    min(_time) AS first_seen,
    max(_time) AS last_seen,
    values(ClientIP) AS source_ips
  BY actor, target_app, is_admin_consent, high_priv_perms, risk_score
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"),
       last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - risk_score, - event_count
| table first_seen, last_seen, actor, target_app, operations, granted_permissions, is_admin_consent, high_priv_perms, risk_score, event_count, source_ips

high severity high confidence

Data Sources

Microsoft Office 365 Azure Active Directory Splunk Add-on for Microsoft Office 365

Required Sourcetypes

o365:management:activity azure:aad:audit

False Positives

Enterprise IT teams performing bulk application consent during Microsoft 365 tenant migrations or onboarding
Authorized third-party security vendors (CASB, email security gateways) requiring broad mail or directory permissions
Developer accounts in non-production tenants registering test applications with elevated scopes for integration testing
Microsoft-published applications (Teams apps, Compliance Center) requesting permission scope updates during product updates
Managed service providers performing delegated administration tasks on behalf of client organizations

Elastic Security (EQL)

eql

file where event.type in ("creation", "change") and (
  file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*") and
  file.extension in ("exe", "dll", "bat", "ps1", "vbs", "hta", "js")
) and not process.code_signature.trusted == true

high severity high confidence

Data Sources

Elastic Endpoint Security

Required Tables

logs-endpoint.events.file-*

False Positives

Legitimate IT administrators deploying enterprise applications that require admin consent for business-critical permissions
Productivity application onboarding during organizational rollouts (e.g., deploying a new CRM, ITSM, or HR integration)
Third-party security vendors requiring Mail.Read or Directory.Read.All for legitimate CASB, DLP, or threat protection services

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS UserPrincipalName,
    sourceip AS SourceIP,
    "EventName" AS Operation,
    CASE
        WHEN "EventName" ILIKE '%delete%' OR "EventName" ILIKE '%remove%' THEN 85
        WHEN "EventName" ILIKE '%add%' OR "EventName" ILIKE '%create%' THEN 70
        WHEN "EventName" ILIKE '%update%' THEN 65
        ELSE 55
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure', 'Azure Active Directory Audit Log')
    AND ("EventName" ILIKE '%subscription%'
        OR "EventName" ILIKE '%consent%'
        OR "EventName" ILIKE '%permission%'
        OR "EventName" ILIKE '%role%')
    AND RiskScore >= 65
ORDER BY EventTime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate IT administrators deploying enterprise applications that require admin consent for business-critical permissions
Productivity application onboarding during organizational rollouts (e.g., deploying a new CRM, ITSM, or HR integration)
Third-party security vendors requiring Mail.Read or Directory.Read.All for legitimate CASB, DLP, or threat protection services

Sumo Logic CSE

sql

_sourceCategory=azure/audit OR _sourceCategory=azure/signin
| json auto
| where operation_name matches /(add|delete|update|consent|create)/i
| where !(initiated_by_user matches /service-/) 
| if(result_reason matches /fail/i, "Failed", "Success") as result
| if(operation_name matches /delete/i, 85,
    if(operation_name matches /consent/i, 80,
    if(operation_name matches /(add|create)/i, 70, 55))) as risk_score
| where risk_score >= 70
| count by initiated_by_user, operation_name, target_display_name, risk_score, source_ip
| sort - risk_score

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=azure/audit OR _sourceCategory=azure/signin

False Positives

Legitimate IT administrators deploying enterprise applications that require admin consent for business-critical permissions
Productivity application onboarding during organizational rollouts (e.g., deploying a new CRM, ITSM, or HR integration)
Third-party security vendors requiring Mail.Read or Directory.Read.All for legitimate CASB, DLP, or threat protection services

Google Chronicle / SecOps

yaral

rule detection_t1671 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Cloud Application Integration cloud activity - T1671"
    severity = "HIGH"
    mitre_attack = "T1671"
    reference = "https://attack.mitre.org/techniques/T1671/"

  events:
    $e.metadata.event_type = "USER_CHANGE"
    $e.principal.user.userid = $user
    $e.principal.ip = $source_ip
    $e.target.resource.name = $resource
    (
      re.regex($e.metadata.product_event_type, `(?i)(add|delete|consent|update|create)`) and
      not re.regex($e.principal.user.userid, `(?i)(service-|automation-|pipeline-)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Azure AD Microsoft 365

Required Tables

USER_CHANGE RESOURCE_CREATION

False Positives

Legitimate IT administrators deploying enterprise applications that require admin consent for business-critical permissions
Productivity application onboarding during organizational rollouts (e.g., deploying a new CRM, ITSM, or HR integration)
Third-party security vendors requiring Mail.Read or Directory.Read.All for legitimate CASB, DLP, or threat protection services

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "UserActivityAuditEvent"
| EventName = /(?i)(add|delete|consent|update|create)/
| UserName != /(?i)(service-|automation-|pipeline-)/
| case {
    EventName = /(?i)delete/ | RiskScore := "High" ;
    EventName = /(?i)consent/ | RiskScore := "High" ;
    EventName = /(?i)(add|create)/ | RiskScore := "Medium" ;
    * | RiskScore := "Low"
}
| RiskScore != "Low"
| table([UserName, EventName, TargetObjectId, SourceIPAddress, RiskScore, @timestamp])
| sort(@timestamp, order=desc, limit=100)

high severity high confidence

Data Sources

CrowdStrike Falcon Identity Protection

Required Tables

UserActivityAuditEvent AuthActivityAuditEvent

False Positives

Legitimate IT administrators deploying enterprise applications that require admin consent for business-critical permissions
Productivity application onboarding during organizational rollouts (e.g., deploying a new CRM, ITSM, or HR integration)
Third-party security vendors requiring Mail.Read or Directory.Read.All for legitimate CASB, DLP, or threat protection services

Cloud Application Integration

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Persistence

Popular Detections