教學課程:調查有風險的 OAuth 應用程式Tutorial: Investigate risky OAuth apps

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

OAuth 是以權杖為基礎的開放式驗證與授權標準。OAuth is an open standard for token-based authentication and authorization. OAuth 可讓協力廠商服務使用使用者的帳戶資訊,而不會公開使用者的密碼。OAuth enables a user's account information to be used by third-party services, without exposing the user's password. OAuth 會代表使用者作為中介,為服務提供存取權杖,以授權共用特定的帳戶資訊。OAuth acts as an intermediary on behalf of the user, providing the service with an access token that authorizes specific account information to be shared.

例如,分析使用者行事曆,並為他提供如何更具生產力建議的應用程式需要存取使用者的行事曆。For example, an app that analyses the user’s calendar and gives him advice on how to become more productive needs access to the user’s calendar. OAuth 可讓應用程式僅根據使用者同意頁面時產生的權杖,取得對資料的存取權,而不是提供使用者的認證取得,如下圖所示。Instead of providing the user’s credentials, OAuth enables the app to get access to the data based only on a token, which is generated when the user provides consent to a page as can be seen in the below picture.

OAuth 應用程式權限

許多可能由組織中的商務使用者安裝的協力廠商應用程式,會要求存取使用者資訊與資料的權限,並在其他雲端應用程式中代表使用者登入。Many third-party apps that might be installed by business users in your organization, request permission to access user information and data and sign in on behalf of the user in other cloud apps. 當使用者安裝這些應用程式時,他們通常會按一下 [接受],而不會仔細檢閱提示中的詳細資料,包括將權限授與應用程式。When users install these apps, they often click accept without closely reviewing the details in the prompt, including granting permissions to the app. 接受第三方應用程式權限對您的組織而言有潛在安全性風險。Accepting third-party app permissions is a potential security risk to your organization.

例如,下列 OAuth 應用程式同意頁面對一般使用者來說,看起來可能合法,不過,“Google APIs Explorer” 應該不需要向 Google 本身要求權限。For example, the following OAuth app consent page might look legitimate to the average user, however, “Google APIs Explorer” shouldn't need to request permissions from Google itself. 因此,這表示應用程式可能是網路釣魚攻擊,完全與 Google 無關。So this indicates that the app might be a phishing attempt, not related to Google at all.

OAuth 網路釣魚

身為安全性系統管理員,您需要了解並控制您環境中的應用程式,包含它們所擁有的權限。As a security admin, you need visibility and control over the apps in your environment and that includes the permissions they have. 您必須能夠防止使用需要您想要撤銷之資源權限的應用程式。You need the ability to prevent use of apps that require permission to resources you wish to revoke. 因此 Microsoft Cloud App Security 為您提供調查及監視您的使用者獲授權之應用程式權限的能力。Therefore, Microsoft Cloud App Security provides you with the ability to investigate and monitor the app permissions your users granted. 此文章專門用來協助您調查組織中的 OAuth 應用程式,並著重在可能比較可疑的應用程式。This article is dedicated to helping you investigate the OAuth apps in your organization, and focus on the apps that are more likely to be suspicious.

我們建議的方法是使用 Cloud App Security 入口網站中所提供的功能與資訊來篩選掉比較不可能有風險的應用程式,並著重在可疑應用程式。Our recommended approach is to investigate the apps by using the abilities and information provided in the Cloud App Security portal to filter out apps with a low chance of being risky, and focus on the suspicious apps.

如何偵測有風險的 OAuth 應用程式How to detect risky OAuth apps

偵測有風險的 OAuth 應用程式可以使用下列方式完成:Detecting a risky OAuth app can be accomplished using:

  • 警示:對現有原則所觸發的警示做出回應。Alerts: React to an alert triggered by an existing policy.
  • 尋找:在所有可用的應用程式中搜尋有風險的應用程式,而不必具體懷疑存在風險。Hunting: Search for a risky app among all the available apps, without concrete suspicion of a risk.

使用警示偵測有風險的應用程式Detect risky apps using alerts

您可以設定原則在 OAuth 應用程式符合特定準則時,自動傳送通知給您。You can set policies to automatically send you notifications when an OAuth app meets certain criteria. 例如,您可以設定原則在偵測到需要高權限的應用程式,且由超過 50 個使用者授權該應用程式時自動通知您。For example, you can set a policy to automatically notify you when an app is detected that requires high permissions and was authorized by more than 50 users. 如需有關建立 OAuth 原則的進一步詳細資訊,請參閱 OAuth 應用程式原則For further details on creating OAuth policies, see OAuth app policies.

透過尋找來˙偵測有風險的應用程式Detect risky apps by hunting

  1. 在入口網站中,移至 [調查],然後移至 [OAuth 應用程式]。In the portal, go to Investigate and then OAuth apps. 使用篩選與查詢來檢閱環境中發生的情況:Use the filters and queries to review what's happening in your environment:

    • 將篩選設定為針對 [權限等級高嚴重性] 和 [社群使用情況不常見]。Set the filter to Permission level high severity and Community use not common. 透過使用此篩選,您可以將注意力放在具有高風險可能性,且使用者可能低估其風險的應用程式上。Using this filter, you can focus on apps that are potentially very risky, where users may have underestimated the risk.

    • 在 [權限] 底下,選取特定內容中特別危險的所有選項。Under Permissions select all the options that are particularly risky in a specific context. 例如,您可以選取提供電子郵件存取權限的所有篩選 (例如,完整存取所有信箱),然後檢閱應用程式清單,以確定它們全都真的很需要與郵件相關的存取權。For example, you can select all the filters that provide permission to email access, such as Full access to all mailboxes and then review the list of apps to make sure that they all really need mail-related access. 這可協助您在特定內容中進行調查,並找出看似合法卻包含不必要權限的應用程式。This can help you investigate within a specific context, and find apps that seem legitimate, but contain unnecessary permissions. 這些應用程式很有可能具有風險。These apps are more likely to be risky.

      OAuth 網路釣魚

    • 選取已儲存的查詢 [由外部使用者授權的應用程式]。Select the saved query Apps authorized by external users. 透過使用此篩選,您可以找出可能不符合您公司安全性標準的應用程式。Using this filter, you can find apps that might not be aligned with your company’s security standards.

  2. 在您檢閱應用程式之後,便可以將注意力放在查詢中看似合法,實際上卻可能具風險的應用程式。After you review your apps, you can focus on the apps in the queries that seem legitimate but might actually be risky. 使用篩選器找出這些應用程式:Use the filters to find them:

    • 篩選 [由少數使用者授權] 的應用程式。Filter for apps that are Authorized by a small number of users. 若著重在這些應用程式,您可以尋找由遭入侵之使用者授權且可能有風險的應用程式。If you focus on these apps, you can look for risky apps that were authorized by a compromised user.
    • 具有不符合應用程式用途之權限的應用程式,例如具有所有信箱之完整存取權的時鐘應用程式。Apps that have permissions that don’t match the app’s purpose, for example, a clock app with full access to all mailboxes.
  3. 按一下每個應用程式以開啟應用程式選單,並檢查是否有應用程式具有可疑的名稱、發行者或網站。Click on each app to open the app drawer, and check to see if the app has a suspicious name, publisher, or website.

  4. 查看應用程式清單,並以 [上次授權] 下日期較久的應用程式為目標。Look at the list of apps and target apps that have a date under Last authorized that isn't recent. 您可能不再需要這些應用程式。These apps may no longer be required.

    OAuth 應用程式選單

如何調查How to investigate

判定應用程式可疑,而且您想要調查之後,建議使用下列重要原則,進行有效率的調查:After you determine that an app is suspicious and you want to investigate it, we recommend the following key principles for efficient investigation:

  • 您組織或線上使用的應用程式越常見,就越有可能是安全的。The more common and used an app is, either by your organization or online, the more likely it is to be safe.
  • 應用程式應該只需要與應用程式用途相關的權限。An app should require only permissions that are related to the app's purpose. 否則,應用程式可能會有風險。If that’s not the case, the app might be risky.
  • 需要高權限或系統管理員同意的應用程式更有可能有風險。Apps that require high privileges or admin consent are more likely to be risky.
  1. 按一下應用程式以開啟應用程式選單,然後按一下 [相關活動] 下的連結。Click on the app to open the app drawer and click the link under Related activities. 這會開啟活動記錄頁面,並只篩出由該應用程式執行的活動。This opens the Activity log page filtered for activities performed by the app. 請記住,有些應用程式會執行已註冊為由使用者執行的活動。Keep in mind that some apps perform activities that are registered as having been performed by a user. 在活動記錄中,會自動在結果中篩掉這些活動。These activities are automatically filtered out of the results in the Activity log. 如需使用活動記錄進行進一步調查,請參閱活動記錄For further investigation using the activity log, see Activity log.
  2. 若應用程式看似可疑,建議您在不同應用程式市集中調查該應用程式的名稱與發行者。If an app seems suspicious, we recommended that you investigate the app’s name and publisher in different app stores. 將焦點放在下列可能可疑的應用程式上:Focus on following apps, which might be suspicions:
    • 下載次數較少的應用程式。Apps with a low number of downloads.
    • 具有低評等或分數或不良意見的應用程式。Apps with a low rating or score or bad comments.
    • 具有可疑發行者或網站的應用程式。Apps with a suspicious publisher or website.
    • 已經有一段時間沒有更新的應用程式。Apps whose last update is not recent. 這可能表示已再不支援該應用程式。This might indicate an app that is no longer supported.
    • 具有不相關之權限的應用程式。Apps that have irrelevant permissions. 這可能表示該應用程式有風險。This might indicate that an app is risky.
  3. 若應用程式仍可疑,您可以在線上研究應用程式名稱、發行者與 URL。If the app is still suspicious, you can research the app name, publisher, and URL online.
  4. 您可以匯出 OAuth 應用程式稽核,以進一步分析授權應用程式的使用者。You can export the OAuth app audit for further analysis of the users who authorized an app. 如需詳細資訊,請參閱 OAuth 應用程式稽核For more information, see OAuth app auditing.

如何修復How to remediate

在您判定 OAuth 應用程式具有風險之後,Cloud App Security 會提供下列修復選項:After you determine that an OAuth app is risky, Cloud App Security provides the following remediation options:

後續步驟Next steps

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.