Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

End-user consent stopped due to risk-based consent

Back
Id009b9bae-23dd-43c4-bcb9-11c4ba7c784a
RulenameEnd-user consent stopped due to risk-based consent
DescriptionDetects a user’s consent to an OAuth application being blocked due to it being too risky.

These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent
SeverityMedium
TacticsPersistence
PrivilegeEscalation
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml
Version1.0.1
Arm template009b9bae-23dd-43c4-bcb9-11c4ba7c784a.json
Deploy To Azure
AuditLogs
  | where OperationName has "Consent to application"
  | where Result =~ "failure"
  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
  | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend userAgent = iif(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))
  | where isnotempty(TargetResources)
  | extend AppName = tostring(TargetResources[0].displayName)
  | mv-expand TargetResources[0].modifiedProperties
  | extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
  | where isnotempty(TargetResources_0_modifiedProperties)
  | where TargetResources_0_modifiedProperties.displayName =~ "MethodExecutionResult."
  | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
  | where FailureReason contains "Risky"
  | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress
triggerOperator: gt
version: 1.0.1
query: |
  AuditLogs
    | where OperationName has "Consent to application"
    | where Result =~ "failure"
    | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
    | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | extend userAgent = iif(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))
    | where isnotempty(TargetResources)
    | extend AppName = tostring(TargetResources[0].displayName)
    | mv-expand TargetResources[0].modifiedProperties
    | extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
    | where isnotempty(TargetResources_0_modifiedProperties)
    | where TargetResources_0_modifiedProperties.displayName =~ "MethodExecutionResult."
    | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
    | where FailureReason contains "Risky"
    | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress  
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: ipAddress
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: userPrincipalName
    identifier: FullName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
metadata:
  source:
    kind: Community
  author:
    name: Pete Bryan
  categories:
    domains:
    - Security - Others
  support:
    tier: Community
tags:
- AADSecOpsGuide
name: End-user consent stopped due to risk-based consent
queryPeriod: 1d
severity: Medium
kind: Scheduled
tactics:
- Persistence
- PrivilegeEscalation
id: 009b9bae-23dd-43c4-bcb9-11c4ba7c784a
description: |
  'Detects a user's consent to an OAuth application being blocked due to it being too risky.
    These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent'  
relevantTechniques:
- T1078.004
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/009b9bae-23dd-43c4-bcb9-11c4ba7c784a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/009b9bae-23dd-43c4-bcb9-11c4ba7c784a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "End-user consent stopped due to risk-based consent",
        "description": "'Detects a user's consent to an OAuth application being blocked due to it being too risky.\n  These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "AuditLogs\n  | where OperationName has \"Consent to application\"\n  | where Result =~ \"failure\"\n  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n  | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend userAgent = iif(AdditionalDetails[0].key == \"User-Agent\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\n  | where isnotempty(TargetResources)\n  | extend AppName = tostring(TargetResources[0].displayName)\n  | mv-expand TargetResources[0].modifiedProperties\n  | extend TargetResources_0_modifiedProperties = columnifexists(\"TargetResources_0_modifiedProperties\", '')\n  | where isnotempty(TargetResources_0_modifiedProperties)\n  | where TargetResources_0_modifiedProperties.displayName =~ \"MethodExecutionResult.\"\n  | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\n  | where FailureReason contains \"Risky\"\n  | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "009b9bae-23dd-43c4-bcb9-11c4ba7c784a",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "ipAddress",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "columnName": "userPrincipalName",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml",
        "templateVersion": "1.0.1",
        "tags": [
          "AADSecOpsGuide"
        ]
      }
    }
  ]
}