Skip to Main Content
Liongard Library

Welcome to Liongard Library, where Lions share! This is a community-led space where Liongard users can come to teach and learn from one another.
Share custom Metrics, get inspired and see what’s trending in the Pride.

Pride Etiquette:
➕ Have great custom Metrics? Add them as entries!
🌟 Want to use a Metric? Copy the query and
follow this doc.
👍 Tried a Metric from the Library? Like it!
📣 Have a question or feedback on a Metric? Add a comment!
🔎 Not sure where to start? Learn about Metrics and how to write them.
💬 Need help writing a metric or want to help support others? Join the conversation in our Liongard Lounge #metrics slack channel.

🥴 See something off? Open a support chat to let us know.

Categories Microsoft 365
Created by Devon
Created on Apr 11, 2023

Microsoft 365 : Malicious Application Consent - PerfectData

This application has actively been used during account compromises to create a backup of the accounts mailbox.
Create an actionable alert for this and audit all environments.


ServicePrincipals[?appId==`ff8d92dc-3d82-41d6-bcbd-b9174d163620`].join( ` `, [join(` `, [` `, to_string(appDisplayName)]), join(` `, [`: `, to_string(createdDateTime)])])

  • Attach files
  • Todd Smith
    Jul 24, 2023

    Thank you! This helped us proactively find 18 tenants and over 30 individual user accounts that were compromised.

    Highly recommend using this Metric and building Actionalble Alert!