Name:Azure AD User Consent Blocked for Risky Application id:06b8ec9a-d3b5-4882-8f16-04b4d10f5eab version:3 date:2024-09-30 author:Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures. Data_source:
how_to_implement:You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. known_false_positives:UPDATE_KNOWN_FALSE_POSITIVES References: -https://attack.mitre.org/techniques/T1528/ -https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ -https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing -https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth -https://www.alteredsecurity.com/post/introduction-to-365-stealer -https://github.com/AlteredSecurity/365-Stealer drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Azure Active Directory Account Takeover' asset_type:Azure Tenant confidence:100 impact:30 message:Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky. mitre_attack_id: - 'T1528' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:30 required_fields: - '_time' - 'operationName' - 'properties.result' - 'properties.targetResources{}.modifiedProperties{}.displayName' - 'properties.targetResources{}.modifiedProperties{}.newValue' security_domain:identity
