Skip to content

Commit

Permalink
[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered App…
Browse files Browse the repository at this point in the history 
…lication (#4283)

* [Tuning] Possible Consent Grant Attack via Azure-Registered Application

SDH related rule tuning for o365.audit dataset

* removing renamed field from query

(cherry picked from commit 511c108)
  • Loading branch information
@imays11 @github-actions
imays11 authored and github-actions[bot] committed Dec 6, 2024
1 parent e112c39 commit bfebe44
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions ...egrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/09/01"
integration = ["azure", "o365"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/12/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -87,8 +87,8 @@ query = '''
event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and
(
azure.activitylogs.operation_name:"Consent to application" or
azure.auditlogs.operation_name:"Consent to application" or
o365.audit.Operation:"Consent to application."
azure.auditlogs.operation_name:"Consent to application" or
event.action:"Consent to application."
) and
event.outcome:(Success or success)
'''
Expand Down

0 comments on commit bfebe44

Please sign in to comment.