Link Search Menu Expand Document

O365_AzureAD_Consent_To_Application

ID: 100465

Description:

Office365 AzureAD ‘Consent to application’ operation

Repository: Group: Office365 Type: event

Default Status:

Enabled

Tags:  
O365 AzureAD
   

Selector:

Query:

Filters:

Field MUST hit
@fields.Operation Consent to application.
@sender office365
@fields.Workload AzureActiveDirectory
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@fields.UserId username application activity

Risks:

Risks Base Score Dimension
Timeline 0 -

Attributes:

Alias Key
Username @fields.UserId
Workload @fields.Workload
Operation @fields.Operation
ResultStatus @fields.ResultStatus
TargetIDs @fields.Target.ID
ActorIDs @fields.Actor.ID
IsAdminConsent @fields.ModifiedPropertiesFieldsNew.ConsentContext_IsAdminConsent
IsAppOnly @fields.ModifiedPropertiesFieldsNew.ConsentContext_IsAppOnly
OnBehalfOfAll @fields.ModifiedPropertiesFieldsNew.ConsentContext_OnBehalfOfAll
ConsentContext_Tags @fields.ModifiedPropertiesFieldsNew.ConsentContext_Tags
ServicePrincipalNames @fields.ModifiedPropertiesFieldsNew.TargetId_ServicePrincipalNames
ConsentAction_Permissions @fields.ModifiedPropertiesFieldsNew.ConsentAction_Permissions

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @fields.UserId
  Risks: ML_NEW_USER

History:

User Date
ku*n@fluencysecurity.com 2021 May 20 23:28:48 EDT
em*n@fluencysecurity.com 2021 Jul 6 23:43:44 EDT
em*n@fluencysecurity.com 2021 Jul 7 11:11:06 EDT
ho*d@fluencysecurity.com 2021 Oct 5 08:55:20 EDT
ho*d@fluencysecurity.com 2021 Oct 5 09:06:09 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)