Create advanced-hunting-oauthappinfo-table.md

schmurky · schmurky · commit 36bc41a94c9d · 2025-03-12T17:40:39.000Z
diff --git a/defender-xdr/advanced-hunting-oauthappinfo-table.md b/defender-xdr/advanced-hunting-oauthappinfo-table.md
@@ -0,0 +1,68 @@
+---
+title: OAuthAppInfo table in the advanced hunting schema
+description: Learn about the 
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 03/12/2025
+---
+
+# OAuthAppInfo
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `DeviceBaselineComplianceAssessment` table in the advanced hunting schema contains baseline compliance assessment snapshot, which indicates the status of various security configurations related to baseline profiles on devices. 
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `ReportId` | `string` | Unique identifier for the record|
+| `Timestamp` | `string` | Date and time when the record was created|
+| `OAuthAppId` | `string` | The unique  identifier for the app as assigned by Microsoft Entra ID|
+| `ServicePrincipalId` | `string` | The unique identifier for the service principal instance of the application in the tenant|
+| `AppName` | `string` | The application's display name as exposed by the associated service principal|
+| `AddedOnTime` | `datetime` | Date and time when the application was registered|
+| `LastModifiedTime` | `datetime` | Timestamp when the app was last modified|
+| `AppStatus` | `string` | Status of the app; can be: Enabled, DisabledByMicrosoft, DisabledByAppGovernancePolicy, DisabledByUser, Deleted (information for apps with Deleted status is only available for 30 days since the app was deleted)|
+| `VerifiedPublisher` | `dynamic` | Specifies details about the verified publisher of the application which this service principal represents. It includes information such as: DisplayName, VerifiedPublisherId, AddedDateTime|
+| `PrivilegeLevel` | `string` | The privilege level of the app based on the highest classified permission granted to the app|
+| `Permissions` | `dynamic` | Contains an array of permission objects; each permission object includes PermissionName, TargetAppId, TargetAppDisplayName, PermissionType, PrivilegeLevel, UsageStatus|
+| `ConsentedUsersCount` | `integer` | Count of users who have consented to the app; this information is only available when the app is not admin consented|
+| `IsAdminConsented` | `boolean` | Value is True if a user has provided admin consent to the app on behalf of all the users in the org, otherwise the value is False|
+| `AppOrigin` | `string` | Specifies whether was the app is internal to the organization or registered in an external tenant|
+| `LastUsedTime` | `datetime` | Date and time when the app was last used|
+| `AppOwnerTenantId` | `string` |Specifies the ID of the tenant where the app was registeredrd|
+
+
+
+
+## Related topics
+
+- [Proactively hunt for threats](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
