Data Source: Azure Active Directory Consent to application

Date: 2025-01-23

ID: 4c5d6c49-53e3-4980-a4de-c63e26291ed0

Author: Patrick Bareiss, Splunk

Description

Logs user or admin consent to an application's permissions in Azure Active Directory, including details about the application, granted permissions, and the consenting user or process.

Details

Property	Value
Source	`Azure AD`
Sourcetype	`azure:monitor:aad`
Separator	operationName

Name ▲▼	Technique ▲▼	Type ▲▼
Azure AD OAuth Application Consent Granted By User	Steal Application Access Token	TTP
Azure AD Tenant Wide Admin Consent Granted	Additional Cloud Roles	TTP
Azure AD User Consent Blocked for Risky Application	Steal Application Access Token	TTP

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 6.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">callerIpAddress</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">durationMs</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">operationVersion</span>
  
  <span class="pill kill-chain">properties.activityDateTime</span>
  
  <span class="pill kill-chain">properties.activityDisplayName</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.key</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.value</span>
  
  <span class="pill kill-chain">properties.category</span>
  
  <span class="pill kill-chain">properties.correlationId</span>
  
  <span class="pill kill-chain">properties.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.displayName</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.ipAddress</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.loggedByService</span>
  
  <span class="pill kill-chain">properties.operationType</span>
  
  <span class="pill kill-chain">properties.result</span>
  
  <span class="pill kill-chain">properties.resultReason</span>
  
  <span class="pill kill-chain">properties.targetResources{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.id</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.newValue</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.oldValue</span>
  
  <span class="pill kill-chain">properties.targetResources{}.type</span>
  
  <span class="pill kill-chain">properties.userAgent</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resultDescription</span>
  
  <span class="pill kill-chain">resultSignature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"time": "2023-10-27T16:14:14.9747033Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Consent to application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "resultDescription": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException", "durationMs": 0, "callerIpAddress": "13.85.188.242", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5", "Level": 4, "properties": {"id": "Directory_864210f1-2950-47cb-9e12-1a71dcbdb1d5_DO21D_338329364", "category": "ApplicationManagement", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5", "result": "failure", "resultReason": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException", "activityDisplayName": "Consent to application", "activityDateTime": "2023-10-27T16:14:14.9747033+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "ipAddress": "13.85.188.242", "roles": []}}, "targetResources": [{"id": "6228c72e-8895-4681-bbda-238132dc4f3c", "displayName": "Bad App 1", "type": "Application", "modifiedProperties": [{"displayName": "ConsentContext.IsAdminConsent", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.IsAppOnly", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.OnBehalfOfAll", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.Tags", "oldValue": null, "newValue": "\"WindowsAzureActiveDirectoryIntegratedApp\""}, {"displayName": "ConsentAction.Permissions", "oldValue": null, "newValue": "\"[] => [[Id: AAAAAAAAAAAAAAAAAAAAALSZcc5Sj_NGtUtP2B3pYeI2veRXIpdKSpcpcgPY4Aty, ClientId: 00000000-0000-0000-0000-000000000000, PrincipalId: 57e4bd36-9722-4a4a-9729-7203d8e00b72, ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: Principal, Scope: Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadBasic.Shared Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared User.Read, CreatedDateTime: , LastModifiedDateTime ]]; \""}, {"displayName": "ConsentAction.Reason", "oldValue": null, "newValue": "\"Risky application detected\""}, {"displayName": "MethodExecutionResult.", "oldValue": null, "newValue": "\"Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "EvoSTS"}, {"key": "AppId", "value": "96f6a3d6-d5aa-4af5-a77a-9319b5283712"}]}}

Required Output Fields

dest
user
src
vendor_account
vendor_product

Source: GitHub | Version: 2