← Back to Explore
splunk_escuTTP
Azure AD User Consent Blocked for Risky Application
The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures.
MITRE ATT&CK
Detection Query
`azure_monitor_aad` operationName="Consent to application" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1) | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = "\"Risky application detected\"" | rex field=permissions "Scope: (?<Scope> [ ^,]+)" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product reason Scope signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter`Author
Mauricio Velazco, Splunk
Created
2026-03-10
Data Sources
Azure Active Directory Consent to application
References
- https://attack.mitre.org/techniques/T1528/
- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
- https://www.alteredsecurity.com/post/introduction-to-365-stealer
- https://github.com/AlteredSecurity/365-Stealer
Tags
Azure Active Directory Account Takeover
Raw Content
name: Azure AD User Consent Blocked for Risky Application
id: 06b8ec9a-d3b5-4882-8f16-04b4d10f5eab
version: 9
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
- Azure Active Directory Consent to application
description: The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures.
search: "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\"), -1) | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = \"\\\"Risky application detected\\\"\" | rex field=permissions \"Scope: (?<Scope> [ ^,]+)\" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product reason Scope signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter`"
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.
known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
references:
- https://attack.mitre.org/techniques/T1528/
- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
- https://www.alteredsecurity.com/post/introduction-to-365-stealer
- https://github.com/AlteredSecurity/365-Stealer
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky.
risk_objects:
- field: user
type: user
score: 50
threat_objects: []
tags:
analytic_story:
- Azure Active Directory Account Takeover
asset_type: Azure Tenant
mitre_attack_id:
- T1528
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log
source: Azure AD
sourcetype: azure:monitor:aad