T1671 IBM QRadar · QRadar

Detect Cloud Application Integration in IBM QRadar

This detection identifies adversaries achieving persistence in SaaS environments by abusing OAuth application integrations. Attackers register malicious applications, hijack existing integrations, or consent to adversary-controlled apps from high-privileged accounts to maintain access even after account compromise or password resets. Detection focuses on anomalous OAuth consent grants, new application registrations, service principal creation, and permission escalation events in Microsoft 365, Azure AD/Entra ID, and Google Workspace environments. Particular attention is paid to admin consent grants for high-privilege scopes, application registrations from non-admin users, and OAuth grants that occur outside normal business workflows.

MITRE ATT&CK

Tactic
Persistence
Technique
T1671 Cloud Application Integration
Canonical reference
https://attack.mitre.org/techniques/T1671/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS UserPrincipalName,
    sourceip AS SourceIP,
    "EventName" AS Operation,
    CASE
        WHEN "EventName" ILIKE '%delete%' OR "EventName" ILIKE '%remove%' THEN 85
        WHEN "EventName" ILIKE '%add%' OR "EventName" ILIKE '%create%' THEN 70
        WHEN "EventName" ILIKE '%update%' THEN 65
        ELSE 55
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure', 'Azure Active Directory Audit Log')
    AND ("EventName" ILIKE '%subscription%'
        OR "EventName" ILIKE '%consent%'
        OR "EventName" ILIKE '%permission%'
        OR "EventName" ILIKE '%role%')
    AND RiskScore >= 65
ORDER BY EventTime DESC
LAST 24 HOURS
high severity high confidence

IBM QRadar AQL detection for Cloud Application Integration (T1671). Queries QRadar event pipeline for indicators consistent with cloud application integration adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • Legitimate IT administrators deploying enterprise applications that require admin consent for business-critical permissions
  • Productivity application onboarding during organizational rollouts (e.g., deploying a new CRM, ITSM, or HR integration)
  • Third-party security vendors requiring Mail.Read or Directory.Read.All for legitimate CASB, DLP, or threat protection services
Download portable Sigma rule (.yml)

Other platforms for T1671

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register Malicious OAuth Application in Azure AD

    Expected signal: AuditLogs entries: OperationName='Add application' and OperationName='Add service principal' with the new App ID in TargetResources. OperationName='Add delegated permission grant' showing Graph API permission additions.

  2. Test 2Grant Admin Consent to Existing Application via PowerShell

    Expected signal: AuditLogs: OperationName='Add OAuth2PermissionGrant' with ConsentType='AllPrincipals' and Scope containing 'Mail.Read'. InitiatedBy will show the Global Administrator account. ResultType should be 'Success'.

  3. Test 3Add Client Secret to Existing Service Principal for Persistent API Access

    Expected signal: AuditLogs: OperationName='Add password to service principal' with the target App ID in TargetResources and the credential display name 'AtomicTest-PersistentSecret'. AADSignInLogs: Service principal sign-in using client_credentials grant type showing the App ID authenticating to Microsoft Graph.

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1671 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1550.001Application Access TokenT1098.003Additional Cloud RolesT1136.003Cloud AccountT1020Automated ExfiltrationT1546.013PowerShell ProfileT1078.004Cloud AccountsT1556.003Pluggable Authentication Modules

Same Tactic: Persistence

Popular Detections