O365 User Consent Blocked for Risky Application

Name:O365 User Consent Blocked for Risky Application
id:242e4d30-cb59-4051-b0cf-58895e218f40
version:3
date:2024-09-30
author:Mauricio Velazco, Splunk
status:production
type:TTP
Description:The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This detection leverages O365 audit logs, specifically focusing on failed user consent actions due to system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that O365's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation.
Data_source:

• -O365 Consent to application.

search:`o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Failure
| eval permissions =mvindex('ModifiedProperties{}.NewValue', 4)
| eval reason =mvindex('ModifiedProperties{}.NewValue', 5)
| search reason = "Risky application detected"
| rex field=permissions "Scope: (?<Scope>[^,]+)"
| stats max(_time) as lastTime by Operation, user, reason, object, Scope
| `security_content_ctime(lastTime)`
| `o365_user_consent_blocked_for_risky_application_filter`

how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives:Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.
References:
  -https://attack.mitre.org/techniques/T1528/
  -https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
  -https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing
  -https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
  -https://www.alteredsecurity.com/post/introduction-to-365-stealer
  -https://github.com/AlteredSecurity/365-Stealer
drilldown_searches:
 name:'View the detection results for - "$user$"'
 search:'%original_detection_search% | search user = "$user$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Office 365 Account Takeover'
  asset_type:O365 Tenant
  confidence:100
  impact:30
  message:O365 has blocked $user$ attempt to grant to consent to an application deemed risky.
  mitre_attack_id:
    - 'T1528'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  risk_score:30
  required_fields:
    - '_time'
    - 'Workload'
    - 'Operation'
    - 'ResultStatus'
    - 'ModifiedProperties{}.NewValue'
    - 'object'
    - 'ObjectId'
  security_domain:identity

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log
  source: o365
  sourcetype: o365:management:activity
manual_test:None