Techniques
Sample rules
O365 File Permissioned Application Consent Granted by User
- source: splunk
- technicques:
- T1528
Description
The following analytic identifies instances where a user in the Office 365 environment grants consent to an application requesting file permissions for OneDrive or SharePoint. It leverages O365 audit logs, focusing on OAuth application consent events. This activity is significant because granting such permissions can allow applications to access, modify, or delete files, posing a risk if the application is malicious or overly permissive. If confirmed malicious, this could lead to data breaches, data loss, or unauthorized data manipulation, necessitating immediate investigation to validate the application’s legitimacy and assess potential risks.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success
| eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0)
| search admin_consent=False
| eval permissions =mvindex('ModifiedProperties{}.NewValue', 4)
| rex field=permissions "Scope: (?<Scope>[^,]+)"
| makemv delim=" " Scope
| search Scope IN ("Files.Read", "Files.Read.All", "Files.ReadWrite", "Files.ReadWrite.All", "Files.ReadWrite.AppFolder")
| stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId
| `security_content_ctime(lastTime)`
| `o365_file_permissioned_application_consent_granted_by_user_filter`