LoFP LoFP / legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization

Sample rules

Description

The following analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. It monitors Azure Active Directory logs for the “Update authorization policy” operation, specifically changes to the “AllowUserConsentForRiskyApps” setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats by allowing users to grant consent to potentially malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.

Detection logic

`azure_monitor_aad` operationName="Update authorization policy" 
| rename properties.* as *  
| eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps"), -1) 
| search index_number >= 0  
| eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) 
| search AllowUserConsentForRiskyApps = "[true]" 
| stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_block_user_consent_for_risky_apps_disabled_filter`

Description

The following analytic detects when the “risk-based step-up consent” security setting in Microsoft 365 is disabled. It monitors Azure Active Directory logs for the “Update authorization policy” operation, specifically changes to the “AllowUserConsentForRiskyApps” setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats, allowing users to grant consent to malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory Operation="Update authorization policy." 
| eval index_number = if(mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps") >= 0, mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps"), -1) 
| search index_number >= 0  
| eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) 
| where AllowUserConsentForRiskyApps like "%true%" 
| stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, user_agent 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_block_user_consent_for_risky_apps_disabled_filter`