New Applications Page in Defender XDR and OAuth AppInfo Table in Advanced Hunting

Microsoft has introduced a new Applications page in Defender XDR, consolidating all SaaS and connected OAuth applications into a single, unified inventory. This centralized view enhances visibility and control by displaying risk scores, usage patterns, publisher verification status, and privilege levels.

Additionally, the OAuthAppInfo table is now available in Advanced Hunting, providing insights into Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and monitored via Defender for Cloud Apps.

🔗 Read more:

• New Applications Page in Defender XDR
• OAuthAppInfo Table in Advanced Hunting

You Should Know:

1. How to Query OAuth Applications in Advanced Hunting
   Use Kusto Query Language (KQL) to extract OAuth app details:
   [kql]
   OAuthAppInfo
   | where ApplicationName contains “HighRiskApp”
   | project ApplicationName, Publisher, RiskScore, Permissions
   [/kql]

2. Monitoring Suspicious OAuth Grants

Check for excessive permissions:

OAuthAppInfo 
| where Permissions has "Mail.ReadWrite" 
| summarize count() by ApplicationName 

1. PowerShell Command to List OAuth Apps in Entra ID

   Get-AzureADApplication | Select-Object DisplayName, AppId, PublisherDomain 
   

4. Revoking Suspicious OAuth Apps

Remove-AzureADApplication -ObjectId <AppObjectId> 

1. Linux Command to Check DNS Fluxing (Related to Fast Flux Advisory)

   dig +short example.com | sort | uniq -c 
   

2. Windows Command to Check DNS Cache for Malicious Entries

   ipconfig /displaydns | findstr "malicious-domain.com" 
   

What Undercode Say:

The integration of OAuth app governance into Defender XDR strengthens cloud security by enabling real-time monitoring of third-party app permissions. Security teams should:
– Regularly audit OAuth grants using KQL queries.
– Revoke unused or high-risk apps via PowerShell.
– Monitor DNS anomalies to detect Fast Flux attacks (as highlighted in the Five Eyes advisory).
– Automate threat detection with Defender’s APIs and SIEM integrations.

Expected Output:

• A structured report of OAuth apps with risk scores.
• Alerts on unverified publishers or excessive permissions.
• Automated remediation scripts for malicious app removal.
• DNS logs indicating Fast Flux activity.

🔗 Further Reading:

• Microsoft Defender XDR Docs
• Five Eyes Advisory on Fast Flux

References:

Reported By: Markolauren Defenderxdr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram