Techniques
Sample rules
Azure AD User Consent Blocked for Risky Application
- source: splunk
- technicques:
- T1528
Description
The following analytic detects instances where Azure AD has blocked a user’s attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure’s security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures.
Detection logic
`azure_monitor_aad` operationName="Consent to application" properties.result=failure
| rename properties.* as *
| eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason"), -1)
| eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1)
| search reason_index >= 0
| eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index)
| eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index)
| search reason = "\"Risky application detected\""
| rex field=permissions "Scope: (?<Scope>[^,]+)"
| stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_user_consent_blocked_for_risky_application_filter`