End User Consent

Aug 12, 2024 · attack.credential-access attack.t1528 ·

Detects when an end user consents to an application

Sigma rule (View on GitHub)

 1title: End User Consent
 2id: 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a
 3status: test
 4description: Detects when an end user consents to an application
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022-07-28
 9tags:
10    - attack.credential-access
11    - attack.t1528
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        ConsentContext.IsAdminConsent: 'false'
18    condition: selection
19falsepositives:
20    - Unknown
21level: low

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

Related rules

Anomalous Token
Anonymous IP Address
App Granted Microsoft Permissions
Application URI Configuration Changes
Delegated Permissions Granted For All Users

End User Consent

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules