Detectionmediumtest

End User Consent Blocked

Detects when end user consent is blocked due to risk-based consent.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Bailey Bercik, Mark MorowczynskiCreated Sun Jul 107091372f-623c-4293-bc37-20c32b3492becloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        failure_status_reason: 'Microsoft.online.Security.userConsentBlockedForRiskyAppsExceptions'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Techniques

T1528 · Steal Application Access Token

Rule Metadata

Rule ID

7091372f-623c-4293-bc37-20c32b3492be

Status

test

Level

medium

Type

Detection

Created

Sun Jul 10

Author

Bailey Bercik, Mark Morowczynski

Path

rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml

Raw Tags

attack.credential-accessattack.t1528

View on GitHub