Liongard Library

Welcome to Liongard Library, where Lions share! This is a community-led space where Liongard users can come to teach and learn from one another.
Share custom Metrics, get inspired and see what’s trending in the Pride.

Pride Etiquette:
➕ Have great custom Metrics? Add them as entries!
🌟 Want to use a Metric? Copy the query and follow this doc.
👍 Tried a Metric from the Library? Like it!
📣 Have a question or feedback on a Metric? Add a comment!
🔎 Not sure where to start? Learn about Metrics and how to write them.
💬 Need help writing a metric or want to help support others? Join the conversation in our Liongard Lounge #metrics slack channel.


🥴 See something off? Open a support chat to let us know.

Add a new Metric entry Subscribe
Categories Microsoft 365
Created by Devon
Created on Apr 11, 2023

RELATED METRIC

Microsoft 365 : Malicious Application Consent - PerfectData

This application has actively been used during account compromises to create a backup of the accounts mailbox.
Create an actionable alert for this and audit all environments.

Query

ServicePrincipals[?appId==`ff8d92dc-3d82-41d6-bcbd-b9174d163620`].join( ` `, [join(` `, [` `, to_string(appDisplayName)]), join(` `, [`: `, to_string(createdDateTime)])])
  • Attach files
  • Todd Smith
    Reply
    |     Jul 24, 2023

    Thank you! This helped us proactively find 18 tenants and over 30 individual user accounts that were compromised.

    Highly recommend using this Metric and building Actionalble Alert!