Azure AD User Consent Blocked for Risky Application
Description
The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Risk
- Last Updated: 2024-05-30
- Author: Mauricio Velazco, Splunk
- ID: 06b8ec9a-d3b5-4882-8f16-04b4d10f5eab
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
10
11
12
13
`azure_monitor_aad` operationName="Consent to application" properties.result=failure
| rename properties.* as *
| eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason"), -1)
| eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1)
| search reason_index >= 0
| eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index)
| eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index)
| search reason = "\"Risky application detected\""
| rex field=permissions "Scope: (?<Scope>[^,]+)"
| stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_user_consent_blocked_for_risky_application_filter`
Macros
The SPL above uses the following Macros:
azure_ad_user_consent_blocked_for_risky_application_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- operationName
- properties.result
- properties.targetResources{}.modifiedProperties{}.displayName
- properties.targetResources{}.modifiedProperties{}.newValue
How To Implement
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.
Known False Positives
UPDATE_KNOWN_FALSE_POSITIVES
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 30.0 | 30 | 100 | Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky. |
Reference
- https://attack.mitre.org/techniques/T1528/
- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
- https://www.alteredsecurity.com/post/introduction-to-365-stealer
- https://github.com/AlteredSecurity/365-Stealer
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2