End-user consent stopped due to risk-based consent
| Id | 009b9bae-23dd-43c4-bcb9-11c4ba7c784a |
| Rulename | End-user consent stopped due to risk-based consent |
| Description | Detects a user’s consent to an OAuth application being blocked due to it being too risky. These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent |
| Severity | Medium |
| Tactics | Persistence PrivilegeEscalation |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml |
| Version | 1.1.1 |
| Arm template | 009b9bae-23dd-43c4-bcb9-11c4ba7c784a.json |
AuditLogs
| where OperationName has "Consent to application"
| where Result =~ "failure"
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend userAgent = iif(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))
| where isnotempty(TargetResources)
| extend TargetAppName = tostring(TargetResources[0].displayName)
| extend TargetAppId = tostring(TargetResources[0].id)
| mv-expand TargetResources[0].modifiedProperties
| extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
| where isnotempty(TargetResources_0_modifiedProperties)
| where TargetResources_0_modifiedProperties.displayName =~ "MethodExecutionResult."
| extend TargetPropertyDisplayName = tostring(TargetResources_0_modifiedProperties.displayName)
| extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
| where FailureReason contains "Risky"
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, Result, TargetAppName, TargetAppId, FailureReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, userAgent
name: End-user consent stopped due to risk-based consent
relevantTechniques:
- T1078.004
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml
query: |
AuditLogs
| where OperationName has "Consent to application"
| where Result =~ "failure"
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend userAgent = iif(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))
| where isnotempty(TargetResources)
| extend TargetAppName = tostring(TargetResources[0].displayName)
| extend TargetAppId = tostring(TargetResources[0].id)
| mv-expand TargetResources[0].modifiedProperties
| extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
| where isnotempty(TargetResources_0_modifiedProperties)
| where TargetResources_0_modifiedProperties.displayName =~ "MethodExecutionResult."
| extend TargetPropertyDisplayName = tostring(TargetResources_0_modifiedProperties.displayName)
| extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
| where FailureReason contains "Risky"
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, Result, TargetAppName, TargetAppId, FailureReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, userAgent
tactics:
- Persistence
- PrivilegeEscalation
description: |
'Detects a user's consent to an OAuth application being blocked due to it being too risky.
These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent'
entityMappings:
- fieldMappings:
- columnName: InitiatingUserPrincipalName
identifier: FullName
- columnName: InitiatingAccountName
identifier: Name
- columnName: InitiatingAccountUPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: InitiatingAadUserId
identifier: AadUserId
entityType: Account
- fieldMappings:
- columnName: InitiatingIPAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: TargetAppId
identifier: AppId
- columnName: TargetAppName
identifier: Name
entityType: CloudApplication
queryFrequency: 1d
triggerOperator: gt
metadata:
source:
kind: Community
support:
tier: Community
author:
name: Microsoft Security Research
categories:
domains:
- Security - Others
version: 1.1.1
queryPeriod: 1d
kind: Scheduled
severity: Medium
triggerThreshold: 0
id: 009b9bae-23dd-43c4-bcb9-11c4ba7c784a
tags:
- AADSecOpsGuide
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/009b9bae-23dd-43c4-bcb9-11c4ba7c784a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/009b9bae-23dd-43c4-bcb9-11c4ba7c784a')]",
"properties": {
"alertRuleTemplateName": "009b9bae-23dd-43c4-bcb9-11c4ba7c784a",
"customDetails": null,
"description": "'Detects a user's consent to an OAuth application being blocked due to it being too risky.\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent'\n",
"displayName": "End-user consent stopped due to risk-based consent",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
},
{
"columnName": "InitiatingAccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIPAddress",
"identifier": "Address"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "TargetAppId",
"identifier": "AppId"
},
{
"columnName": "TargetAppName",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml",
"query": "AuditLogs\n | where OperationName has \"Consent to application\"\n | where Result =~ \"failure\"\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\n | extend userAgent = iif(AdditionalDetails[0].key == \"User-Agent\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\n | where isnotempty(TargetResources)\n | extend TargetAppName = tostring(TargetResources[0].displayName)\n | extend TargetAppId = tostring(TargetResources[0].id)\n | mv-expand TargetResources[0].modifiedProperties\n | extend TargetResources_0_modifiedProperties = columnifexists(\"TargetResources_0_modifiedProperties\", '')\n | where isnotempty(TargetResources_0_modifiedProperties)\n | where TargetResources_0_modifiedProperties.displayName =~ \"MethodExecutionResult.\"\n | extend TargetPropertyDisplayName = tostring(TargetResources_0_modifiedProperties.displayName)\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\n | where FailureReason contains \"Risky\"\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \"@\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \"@\")[1])\n | project-reorder TimeGenerated, OperationName, Result, TargetAppName, TargetAppId, FailureReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, userAgent\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [
"T1078.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence",
"PrivilegeEscalation"
],
"tags": [
"AADSecOpsGuide"
],
"techniques": [
"T1078"
],
"templateVersion": "1.1.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}