Data Source: O365 Consent to application.

Date: 2025-01-23

ID: 0a15a464-ef51-4614-9a07-a216eb9817db

Author: Patrick Bareiss, Splunk

Description

Logs user or administrator consent to an application's permissions in Microsoft 365, including details about the application, granted permissions, and the consenting user or process.

Details

Property	Value
Source	`o365`
Sourcetype	`o365:management:activity`
Separator	Operation

Name ▲▼	Technique ▲▼	Type ▲▼
O365 File Permissioned Application Consent Granted by User	Steal Application Access Token	TTP
O365 Mail Permissioned Application Consent Granted by User	Steal Application Access Token	TTP
O365 Tenant Wide Admin Consent Granted	Additional Cloud Roles	TTP
O365 User Consent Blocked for Risky Application	Steal Application Access Token	TTP

Supported Apps

Splunk Add-on for Microsoft Office 365 (version 5.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActorContextId</span>
  
  <span class="pill kill-chain">Actor{}.ID</span>
  
  <span class="pill kill-chain">Actor{}.Type</span>
  
  <span class="pill kill-chain">AzureActiveDirectoryEventType</span>
  
  <span class="pill kill-chain">CreationTime</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Name</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Value</span>
  
  <span class="pill kill-chain">Id</span>
  
  <span class="pill kill-chain">InterSystemsId</span>
  
  <span class="pill kill-chain">IntraSystemId</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.Name</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.NewValue</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.OldValue</span>
  
  <span class="pill kill-chain">ObjectId</span>
  
  <span class="pill kill-chain">Operation</span>
  
  <span class="pill kill-chain">OrganizationId</span>
  
  <span class="pill kill-chain">RecordType</span>
  
  <span class="pill kill-chain">ResultStatus</span>
  
  <span class="pill kill-chain">SupportTicketId</span>
  
  <span class="pill kill-chain">TargetContextId</span>
  
  <span class="pill kill-chain">Target{}.ID</span>
  
  <span class="pill kill-chain">Target{}.Type</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UserKey</span>
  
  <span class="pill kill-chain">UserType</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">Workload</span>
  
  <span class="pill kill-chain">additionalDetails</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authentication_service</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_name</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">extendedAuditEventCategory</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">record_type</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_agent_change</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"CreationTime": "2023-09-05T21:05:31", "Id": "5822e126-1fbc-4269-9ad6-4c1879cdbcf3", "Operation": "Consent to application.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "95106c0e-3519-450e-8e38-7f326d873454", "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"AppId\":\"95106c0e-3519-450e-8e38-7f326d873454\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "NewValue": "True", "OldValue": ""}, {"Name": "ConsentContext.IsAppOnly", "NewValue": "False", "OldValue": ""}, {"Name": "ConsentContext.OnBehalfOfAll", "NewValue": "True", "OldValue": ""}, {"Name": "ConsentContext.Tags", "NewValue": "", "OldValue": ""}, {"Name": "ConsentAction.Permissions", "NewValue": "[] => [[Id: r2KtIS6Zn0q2wWeqbIputLSZcc5Sj_NGtUtP2B3pYeI, ClientId: 21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4, PrincipalId: , ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: AllPrincipals, Scope: User.Read, CreatedDateTime: , LastModifiedDateTime ]]; ", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "InterSystemsId": "e0fb6206-12db-4fdf-bf52-699b254124d3", "IntraSystemId": "897d35e6-e2dc-455e-ba65-e6d58adae01f", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "TestApp2", "Type": 1}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 2}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 4}], "TargetContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5"}

Required Output Fields

dest
user
src
vendor_account
vendor_product

Source: GitHub | Version: 2