What Changed
Fixed a one-line bug in the OAuthConsentToHighRiskPermissionScope.yaml hunting query that caused it to return zero results. The query was filtering on an incorrect modifiedProperties.displayName value in Entra ID audit logs.
Security Impact
The hunting query was completely non-functional since its initial merge. Security teams using this query to detect OAuth consent to high-risk permissions would have received no alerts, creating a detection blind spot for:
- Applications gaining excessive permissions through OAuth consent
- Potential privilege escalation via malicious app consents
- High-risk scope grants that should trigger investigation
Detection Logic
The query filters Entra ID audit logs for consent events by checking TargetResources[0].modifiedProperties where:
- Before (broken): displayName =~ “ConsentContext.Permissions”
- After (fixed): displayName =~ “ConsentAction.Permissions”
The correct property name ConsentAction.Permissions is confirmed by other queries in the same repository that successfully parse OAuth consent events.
MITRE Mapping
- T1098 (Account Manipulation) - OAuth consent can be used to grant persistent access
- T1078 (Valid Accounts) - Malicious apps gain legitimate access through consent
Affected Files
Hunting Queries/MultipleDataSources/OAuthConsentToHighRiskPermissionScope.yaml