Skip to Main Content
Liongard Library

Welcome to Liongard Library, where Lions share! This is a community-led space where Liongard users can come to teach and learn from one another.
Share custom Metrics, get inspired and see what’s trending in the Pride.

Pride Etiquette:
➕ Have great custom Metrics? Add them as entries!
🌟 Want to use a Metric? Copy the query and
follow this doc.
👍 Tried a Metric from the Library? Like it!
📣 Have a question or feedback on a Metric? Add a comment!
🔎 Not sure where to start? Learn about Metrics and how to write them.
💬 Need help writing a metric or want to help support others? Join the conversation in our Liongard Lounge #metrics slack channel.


🥴 See something off? Open a support chat to let us know.

Categories Microsoft 365
Created by David Chapman
Created on Feb 23, 2024

M365: PerfectData App Check

Malicious actors are utilizing a vulnerability with the "PerfectData Software" Entra(AKA Azure) enterprise application. This metric can query each M365 inspector and display whether or not the app is present in the tenant. This can be used with our Reports and Actionable Alerts features.


More information about the vulnerability can be found here: https://darktrace.com/blog/how-abuse-of-perfectdata-software-may-create-a-perfect-storm-an-emerging-trend-in-account-takeovers

Query

ServicePrincipals[?contains(to_string(appDisplayName), 'PERFECTDATA')].['Tenant:',~.Name, '|', 'AppName:', appDisplayName]

  • Attach files
  • Peter Just
    Reply
    |
    Feb 27, 2024

    We have needed to use this. Very helpful!