End User Consent

Detects when an end user consents to an application

Sigma rule (View on GitHub)

 1title: End User Consent
 2id: 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a
 3status: test
 4description: Detects when an end user consents to an application
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022/07/28
 9tags:
10    - attack.credential_access
11    - attack.t1528
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        ConsentContext.IsAdminConsent: 'false'
18    condition: selection
19falsepositives:
20    - Unknown
21level: low

References

Related rules

to-top