End-user consent stopped due to risk-based consent
| Id | 009b9bae-23dd-43c4-bcb9-11c4ba7c784a |
| Rulename | End-user consent stopped due to risk-based consent |
| Description | Detects a user’s consent to an OAuth application being blocked due to it being too risky. These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent |
| Severity | Medium |
| Tactics | Persistence PrivilegeEscalation |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml |
| Version | 1.0.1 |
| Arm template | 009b9bae-23dd-43c4-bcb9-11c4ba7c784a.json |
AuditLogs
| where OperationName has "Consent to application"
| where Result =~ "failure"
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend userAgent = iif(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))
| where isnotempty(TargetResources)
| extend AppName = tostring(TargetResources[0].displayName)
| mv-expand TargetResources[0].modifiedProperties
| extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
| where isnotempty(TargetResources_0_modifiedProperties)
| where TargetResources_0_modifiedProperties.displayName =~ "MethodExecutionResult."
| extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
| where FailureReason contains "Risky"
| project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress
severity: Medium
triggerThreshold: 0
metadata:
source:
kind: Community
support:
tier: Community
categories:
domains:
- Security - Others
author:
name: Pete Bryan
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
id: 009b9bae-23dd-43c4-bcb9-11c4ba7c784a
version: 1.0.1
name: End-user consent stopped due to risk-based consent
kind: Scheduled
query: |
AuditLogs
| where OperationName has "Consent to application"
| where Result =~ "failure"
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend userAgent = iif(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))
| where isnotempty(TargetResources)
| extend AppName = tostring(TargetResources[0].displayName)
| mv-expand TargetResources[0].modifiedProperties
| extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
| where isnotempty(TargetResources_0_modifiedProperties)
| where TargetResources_0_modifiedProperties.displayName =~ "MethodExecutionResult."
| extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
| where FailureReason contains "Risky"
| project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml
queryPeriod: 1d
relevantTechniques:
- T1078.004
triggerOperator: gt
tactics:
- Persistence
- PrivilegeEscalation
tags:
- AADSecOpsGuide
description: |
'Detects a user's consent to an OAuth application being blocked due to it being too risky.
These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent'
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ipAddress
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: userPrincipalName
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/009b9bae-23dd-43c4-bcb9-11c4ba7c784a')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/009b9bae-23dd-43c4-bcb9-11c4ba7c784a')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "End-user consent stopped due to risk-based consent",
"description": "'Detects a user's consent to an OAuth application being blocked due to it being too risky.\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent'\n",
"severity": "Medium",
"enabled": true,
"query": "AuditLogs\n | where OperationName has \"Consent to application\"\n | where Result =~ \"failure\"\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend userAgent = iif(AdditionalDetails[0].key == \"User-Agent\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\n | where isnotempty(TargetResources)\n | extend AppName = tostring(TargetResources[0].displayName)\n | mv-expand TargetResources[0].modifiedProperties\n | extend TargetResources_0_modifiedProperties = columnifexists(\"TargetResources_0_modifiedProperties\", '')\n | where isnotempty(TargetResources_0_modifiedProperties)\n | where TargetResources_0_modifiedProperties.displayName =~ \"MethodExecutionResult.\"\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\n | where FailureReason contains \"Risky\"\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence",
"PrivilegeEscalation"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "009b9bae-23dd-43c4-bcb9-11c4ba7c784a",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "ipAddress",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "userPrincipalName",
"identifier": "FullName"
}
],
"entityType": "Account"
}
],
"tags": [
"AADSecOpsGuide"
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml",
"templateVersion": "1.0.1"
}
}
]
}