[Tuning] Possible Consent Grant Attack via Azure-Registered Application

imays11 · imays11 · commit bd90cf70c861 · 2024-12-05T13:01:43.000-05:00
SDH related rule tuning for o365.audit dataset
diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -88,7 +88,8 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and
   (
     azure.activitylogs.operation_name:"Consent to application" or
     azure.auditlogs.operation_name:"Consent to application" or
-    o365.audit.Operation:"Consent to application."
+    o365.audit.Operation:"Consent to application." or 
+    event.action:"Consent to application."
   ) and
   event.outcome:(Success or success)
 '''
