Introduction

Senserva is excited to announce the newest release of the Senserva engine which includes the ‘Applications Simulator’. The Applications Simulator focuses on all aspects of applications (app registrations) in your tenant which it will retrieve and augment with the intelligence of the Senserva engine.

    • Focused on application access
      • Different ways – consent/owner/role
        • Access based on role and dangers of that
    • Easily query data without pivoting portals

App Registrations & the hidden dangers

In the past, we have already dived into the dangers for applications and how Senserva can mitigate them. App Registrations, Enterprise Applications (or Service Principals) are an essential part of your Azure AD environment. The OAuth 2.0 protocol, which is used for authentication within Azure AD, has app registrations at its basis. Managing, controlling, and securing these applications is of paramount importance.

This release of the Senserva engine, which introduces the applications simulator, is focusing on RBAC for app registrations. While RBAC might sound simple, there are multiple ways to provide somebody access to an application:

  • Azure AD Roles
    • Global Administrator
    • (Cloud) Application Administrator
    • Application Developer
  • Custom Azure AD Roles
  • Owners on the application

While all of the roles are applicable to applications, they all have their differences:

  • Global Administrators have access to all applications by default and can provide admin consent to an application.
  • An Application Administrator has admin permissions on all applications (including app proxies), while a Cloud Application Administrator has access to all applications, excluding app proxies.
  • Azure AD also supports custom Azure AD roles, which current only support applications but allow you to scope the admin roles to specific actions on application-level.
  • Owner permissions can be granted on a specific application, which provides admin privileges on that specific application.

Knowing exactly which applications can be managed and accessed by which users can be extremely challenging as permissions can be provided on multiple levels (Administrator roles vs owner permissions) but can also be nested (assigning an Azure AD role to a security group).

Introducing Senserva 3.0

The Senserva engine will retrieve all of this data and write them to your workspace, in order to provide an easy, query able format and retrieve this spread-out data with one simple query. This will ensure you can have a bird’s eye view on which administrators have access to specific applications, without needing to pivot between the different portals and screens.

Senserva will retrieve all that data from your tenant and save it for you to query. Besides that, it will also connect the data from this update to existing data, allowing you to benefit from the previous integrations of the engine. Allowing you to query all risky users who have access to an application for example.

Identity RBAC on applications

To showcase how easy querying the data is, we will take the update for a spin and provide some sample queries on how to identify RBAC configuration for all applications within your tenant. This will be done using three sample queries:

  • Retrieving all users who have access to an applications
  • Listing application access for a specific user
  • List all users who have access to an application with mailbox permissions

Retrieving all users who have access to a specific application

As there are multiple levels to assign administrator assign to an application, this query will look across the data and find all users who have access to an application (independent on the way of how this access is assigned (custom Azure AD roles or owner permissions).

let AppNameToAudit = "SenservaScanApp";
SenservaPro_CL
| where ControlName_s in ("ApplicationOwnerEstimatedRule","ApplicationAccessRolePermissionEstimatedRule","ApplicationAccessAppRoleAssignedEstimatedRule")
| extend AppName = tostring(parse_json(Value_s)[0].Value)
| where AppName == AppNameToAudit

Listing application access for a specific user

If you are investigating a potential breached account or facing an employee offboarding, knowing the exact access a user has can be extremely powerful. This query will list all applications a user has access to.

let AdminToAudit = "John Smith";
SenservaPro_CL
| where ControlName_s in ("ApplicationOwnerEstimatedRule","ApplicationAccessRolePermissionEstimatedRule”,"ApplicationAccessAppRoleAssignedEstimatedRule")
| extend Admin = tostring(parse_json(Value_s)[2].Value)
| where Admin == AdminToAudit
| extend AppName = tostring(parse_json(Value_s)[0].Value)
| project-reorder AppName, Admin

List all users who have access to an application with mailbox permissions

This last query is used to showcase multiple controls can be combined to create powerful searches. If you want to combine permissions of applications together with the owners, this is possible with the SenservaPro engine!

This allows you to identify any users who has access to high privileged permissions (such as mailbox permissions) and could be targeted to move laterally throughout the environment.

SenservaPro_CL
| where ControlName_s == "ApplicationAccessConsentedPermissionEstimatedRule"
| extend PermissionDescription = tostring(parse_json(Value_s)[2].Value)
| where PermissionDescription contains "Mail"
| extend AppId = tostring(parse_json(Value_s)[1].Value)
| join (
SenservaPro_CL
| where ControlName_s in ("ApplicationOwnerEstimatedRule","ApplicationAccessRolePermissionEstimatedRule","ApplicationAccessAppRoleAssignedEstimatedRule")
| extend AppId = tostring(parse_json(Value_s)[1].Value)
) on AppId
| project-reorder Value_s1

Combining simulator data with data from previous releases

While this newest release adds a ton of data, this power sits in the compatibility with the data which was already there. As we are constantly adding data, this allows you to combine all users to identify connections you would never to able to do through the portal.

An example can be found in the last query of the blog, this will find all applications which have an expired credential and list owners.

SenservaPro_CL
| where ControlName_s == "ApplicationClientCredentials"
| extend AppId = tostring(parse_json(Value_s)[1].Value)
| extend Expiration = todynamic(parse_json(Value_s)[2].Value)
| mv-expand Expiration
| extend ExpirationTime = todatetime(Expiration.Value)
| where Expiration < ago(10d)
| join kind=inner (SenservaPro_CL
| where TimeGenerated > ago (7d)
| where ControlName_s in ("ApplicationOwnerEstimatedRule")
| extend Admin = tostring(parse_json(Value_s)[2].Value)
| extend AppName = tostring(parse_json(Value_s)[0].Value)
| extend AppId = tostring(parse_json(Value_s)[1].Value)) on AppId
| project-reorder Expiration, AppName, Admin

Want to know more?

Want to know more on how Senserva could benefit your organization and provide useful insights? Feel free to get in touch!