Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

End-user consent stopped due to risk-based consent

Back
Id009b9bae-23dd-43c4-bcb9-11c4ba7c784a
RulenameEnd-user consent stopped due to risk-based consent
DescriptionDetects a user’s consent to an OAuth application being blocked due to it being too risky.

These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent
SeverityMedium
TacticsPersistence
PrivilegeEscalation
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml
Version1.0.1
Arm template009b9bae-23dd-43c4-bcb9-11c4ba7c784a.json
Deploy To Azure
AuditLogs
  | where OperationName has "Consent to application"
  | where Result =~ "failure"
  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
  | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend userAgent = iif(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))
  | where isnotempty(TargetResources)
  | extend AppName = tostring(TargetResources[0].displayName)
  | mv-expand TargetResources[0].modifiedProperties
  | extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
  | where isnotempty(TargetResources_0_modifiedProperties)
  | where TargetResources_0_modifiedProperties.displayName =~ "MethodExecutionResult."
  | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
  | where FailureReason contains "Risky"
  | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress
severity: Medium
triggerThreshold: 0
metadata:
  source:
    kind: Community
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
  author:
    name: Pete Bryan
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
id: 009b9bae-23dd-43c4-bcb9-11c4ba7c784a
version: 1.0.1
name: End-user consent stopped due to risk-based consent
kind: Scheduled
query: |
  AuditLogs
    | where OperationName has "Consent to application"
    | where Result =~ "failure"
    | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
    | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | extend userAgent = iif(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))
    | where isnotempty(TargetResources)
    | extend AppName = tostring(TargetResources[0].displayName)
    | mv-expand TargetResources[0].modifiedProperties
    | extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
    | where isnotempty(TargetResources_0_modifiedProperties)
    | where TargetResources_0_modifiedProperties.displayName =~ "MethodExecutionResult."
    | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
    | where FailureReason contains "Risky"
    | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml
queryPeriod: 1d
relevantTechniques:
- T1078.004
triggerOperator: gt
tactics:
- Persistence
- PrivilegeEscalation
tags:
- AADSecOpsGuide
description: |
  'Detects a user's consent to an OAuth application being blocked due to it being too risky.
    These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent'  
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ipAddress
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: userPrincipalName
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/009b9bae-23dd-43c4-bcb9-11c4ba7c784a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/009b9bae-23dd-43c4-bcb9-11c4ba7c784a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "End-user consent stopped due to risk-based consent",
        "description": "'Detects a user's consent to an OAuth application being blocked due to it being too risky.\n  These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "AuditLogs\n  | where OperationName has \"Consent to application\"\n  | where Result =~ \"failure\"\n  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n  | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend userAgent = iif(AdditionalDetails[0].key == \"User-Agent\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\n  | where isnotempty(TargetResources)\n  | extend AppName = tostring(TargetResources[0].displayName)\n  | mv-expand TargetResources[0].modifiedProperties\n  | extend TargetResources_0_modifiedProperties = columnifexists(\"TargetResources_0_modifiedProperties\", '')\n  | where isnotempty(TargetResources_0_modifiedProperties)\n  | where TargetResources_0_modifiedProperties.displayName =~ \"MethodExecutionResult.\"\n  | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\n  | where FailureReason contains \"Risky\"\n  | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "009b9bae-23dd-43c4-bcb9-11c4ba7c784a",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "ipAddress",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "columnName": "userPrincipalName",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          }
        ],
        "tags": [
          "AADSecOpsGuide"
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml",
        "templateVersion": "1.0.1"
      }
    }
  ]
}