[Rule Tuning] Possible Consent Grant Attack via Azure-Registered Appl…

…ication (#575) * Update initial_access_consent_grant_attack_via_azure_registered_application.toml * bump updated_date Co-authored-by: Brent Murphy <[email protected]> Co-authored-by: Justin Ibarra <[email protected]>
elastic · Dec 9, 2020 · b8d2f6f · b8d2f6f
1 parent 24828ea
commit b8d2f6f
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/12/08"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide
+Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide
 permissions to an application. An adversary may create an Azure-registered application that requests access to data such
 as contact information, email, or documents.
 """
@@ -30,10 +30,11 @@ tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identit
 type = "query"
 
 query = '''
-event.dataset:(azure.activitylogs or azure.auditlogs) and
+event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and 
   (
     azure.activitylogs.operation_name:"Consent to application" or
-    azure.auditlogs.operation_name:"Consent to application"
+    azure.auditlogs.operation_name:"Consent to application" or
+    o365.audit.Operation:"Consent to application."
   ) and
   event.outcome:success
 '''