MyApps and Excessive App Access

gistfile1.txt

index=app_mso365_index sourcetype="o365:management:activity" ApplicationId=*
```Export of Apps in your tenant(s)```
| lookup EnterpriseAppsList.csv appId AS ApplicationId OUTPUT displayName applicationType assignmentRequired

```The following apps appear to be common amongst most all of our user base. Therefore we are removing them to not inflate counts```
| search NOT displayName IN ("app1", "app2") 

```Put your potentailly sensitive apps here. Onboarding system, EDR, service desk related, confluence, etc.```
| eval sensitiveApps=if(match(displayName,"(?i)app3|app4"),"True", "False")

```Log access time by app as we want to see where My Apps predates the others```
| eval access_time=strftime(_time, "%m/%d/%Y %H:%M:%S") 
| eval displayName = if(displayName=="My Apps","0".displayName,displayName) 
| eval app_access_time=displayName+" - "+access_time 
| bin span=1h _time 
| stats values(app_access_time) as app_access_time values(access_time) AS access_time dc(ApplicationId) AS uniqapps values(ApplicationId) AS ApplicationId values(displayName) AS displayName values(applicationType) AS applicationType values(assignmentRequired) AS assignmentRequired values(sensitiveApps) AS sensitiveApps values(ClientIP) AS src_ip values(ActorContextId) AS ActorContextId values(UserAgent) AS UserAgent values(ResultStatus) AS ResultStatus by _time SessionId user 

```Show me where there more than 8 applications. Tweak as appropriate for our org.```
| where uniqapps > 8 | sort -uniqapps

```Show me where one of the apps was https://myapps.microsoft.com/ or the other portals```
```Microsoft App Access Panel
0000000c-0000-0000-c000-000000000000
My Apps
2793995e-0a7d-40d7-bd35-6968ba142197	
https://account.activedirectory.windowsazure.com/r#/applications
https://myapplications.microsoft.com/#optIn```


```Sort so we can see My Apps access times first```
| eval test=mvindex(ApplicationId, mvfind(ApplicationId, "2793995e-0a7d-40d7-bd35-6968ba142197")) 
| eval test2=mvindex(ApplicationId, mvfind(ApplicationId, "0000000c-0000-0000-c000-000000000000")) 
| search test=* OR test2=*
| eval app_access_time = mvsort(app_access_time) 
| rex field=displayName mode=sed "s/^0(.+)/\1/" 
| rex field=app_access_time mode=sed "s/^0(.+)/\1/" 
| mvexpand src_ip

```I like to do enrichment on src_ip. Maxmind, Spur, etc.```
```Do scoring to filter out your expected egress ranges and up score on suspect IPs```
`maxmind_asn_enrich(src_ip)` 
| eval isOrgEgress=if(match(maxmind_asn_owner,"(?i)MyOrg"), "yes", "NOT MyOrg") 
| eval custom_severity_score=case(match(MyOrg,"yes"),0,1=1,1)
| stats values(*) as * by _time SessionId user

```Take the highest severity score from the user's source ips.  You will need to add more to the list if you want to increase the severity score above low or informational.```
| eval custom_severity_score=max(custom_severity_score)
| eval custom_severity_score=if(custom_severity_score=="1", "low", "informational")
| eval alert_email="" 
| fields - test, assignmentRequired, applicationType

Can you help define the macro in line 41?

You bet. We have information from MaxMind in a automatically refreshing lookup table. I would encourage you to do the same with a tool like Spur in order to find residential proxies and 3rd party vpns.

lookup asn_lookup_by_cidr ip AS src_ip OUTPUT autonomous_system_organization AS maxmind_asn_owner_v4, autonomous_system_number AS maxmind_asn_v4 local=true 
| lookup asn_lookup_by_cidr_ipv6 ip AS src_ip OUTPUT autonomous_system_organization AS maxmind_asn_owner_v6, autonomous_system_number AS maxmind_asn_v6 local=true 
| eval maxmind_asn = coalesce(maxmind_asn_v4,maxmind_asn_v6), maxmind_asn_owner = coalesce(maxmind_asn_owner_v4, maxmind_asn_owner_v6) 
| fields - maxmind_asn_owner_v4,maxmind_asn_owner_v6,maxmind_asn_v4,maxmind_asn_v6