End User Consent Blocked

Detects when end user consent is blocked due to risk-based consent.

Sigma rule (View on GitHub)

 1title: End User Consent Blocked
 2id: 7091372f-623c-4293-bc37-20c32b3492be
 3status: test
 4description: Detects when end user consent is blocked due to risk-based consent.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022/07/10
 9tags:
10    - attack.credential_access
11    - attack.t1528
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        failure_status_reason: 'Microsoft.online.Security.userConsentBlockedForRiskyAppsExceptions'
18    condition: selection
19falsepositives:
20    - Unknown
21level: medium

References

Related rules

to-top