id: fee15f4d-143f-4a2d-8f3d-dcf9e716f192 name: Bitglass - New applications description: | 'Query searches for new applications configured.' severity: Medium requiredDataConnectors: - connectorId: Bitglass dataTypes: - Bitglass tactics: - Exfiltration relevantTechniques: - T1078 query: | Bitglass | where TimeGenerated > ago(24h) | where EventType =~ 'admin' | where EventResultDetails has_all ('Application', 'added') | extend n_app = extract(@'Application\s(.*?)\sadded', 1, EventResultDetails) | extend AppCustomEntity = n_app entityMappings: - entityType: CloudApplication fieldMappings: - identifier: Name columnName: AppCustomEntity