From b8d2f6fc9629994b9f76e22a946f71232fef41ab Mon Sep 17 00:00:00 2001 From: David French <56409778+threat-punter@users.noreply.github.com> Date: Tue, 8 Dec 2020 17:20:30 -0700 Subject: [PATCH] [Rule Tuning] Possible Consent Grant Attack via Azure-Registered Application (#575) * Update initial_access_consent_grant_attack_via_azure_registered_application.toml * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra --- ...nt_grant_attack_via_azure_registered_application.toml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 2e3da3d32d9..5d32b6f3e63 100644 --- a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/12/08" [rule] author = ["Elastic"] description = """ -Identifies when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide +Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. """ @@ -30,10 +30,11 @@ tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identit type = "query" query = ''' -event.dataset:(azure.activitylogs or azure.auditlogs) and +event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and ( azure.activitylogs.operation_name:"Consent to application" or - azure.auditlogs.operation_name:"Consent to application" + azure.auditlogs.operation_name:"Consent to application" or + o365.audit.Operation:"Consent to application." ) and event.outcome:success '''