O365 User Consent Blocked for Risky Application
Description
The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This detection leverages O365 audit logs, specifically focusing on failed user consent actions due to system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that O365's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Risk
- Last Updated: 2024-05-26
- Author: Mauricio Velazco, Splunk
- ID: 242e4d30-cb59-4051-b0cf-58895e218f40
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
`o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Failure
| eval permissions =mvindex('ModifiedProperties{}.NewValue', 4)
| eval reason =mvindex('ModifiedProperties{}.NewValue', 5)
| search reason = "Risky application detected"
| rex field=permissions "Scope: (?<Scope>[^,]+)"
| stats max(_time) as lastTime by Operation, user, reason, object, Scope
| `security_content_ctime(lastTime)`
| `o365_user_consent_blocked_for_risky_application_filter`
Macros
The SPL above uses the following Macros:
o365_user_consent_blocked_for_risky_application_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Workload
- Operation
- ResultStatus
- ModifiedProperties{}.NewValue
- object
- ObjectId
How To Implement
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
30.0 | 30 | 100 | O365 has blocked $user$ attempt to grant to consent to an application deemed risky. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1528/
- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
- https://www.alteredsecurity.com/post/introduction-to-365-stealer
- https://github.com/AlteredSecurity/365-Stealer
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2