Techniques
Sample rules
Azure AD Tenant Wide Admin Consent Granted
- source: splunk
- technicques:
- T1098
- T1098.003
Description
The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it’s crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations
Detection logic
`azure_monitor_aad` operationName="Consent to application"
| eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4)
| rename properties.* as *
| rex field=new_field "ConsentType: (?<ConsentType>[^\,]+)"
| rex field=new_field "Scope: (?<Scope>[^\,]+)"
| search ConsentType = "AllPrincipals"
| stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_tenant_wide_admin_consent_granted_filter`
O365 Tenant Wide Admin Consent Granted
- source: splunk
- technicques:
- T1098
- T1098.003
Description
The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it’s crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations
Detection logic
`o365_management_activity` Operation="Consent to application."
| eval new_field=mvindex('ModifiedProperties{}.NewValue', 4)
| rex field=new_field "ConsentType: (?<ConsentType>[^\,]+)"
| rex field=new_field "Scope: (?<Scope>[^\,]+)"
| search ConsentType = "AllPrincipals"
| stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_tenant_wide_admin_consent_granted_filter`