End User Consent

Oct 17, 2023 · attack.credential_access attack.t1528 ·

Detects when an end user consents to an application

Sigma rule (View on GitHub)

 1title: End User Consent
 2id: 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a
 3status: test
 4description: Detects when an end user consents to an application
 5references:
 6    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022/07/28
 9tags:
10    - attack.credential_access
11    - attack.t1528
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        ConsentContext.IsAdminConsent: 'false'
18    condition: selection
19falsepositives:
20    - Unknown
21level: low

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

Related rules

App Granted Microsoft Permissions
Application URI Configuration Changes
Delegated Permissions Granted For All Users
End User Consent Blocked
Suspicious File Event With Teams Objects

End User Consent

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules