
Summary
This detection rule identifies instances where users in an Office 365 environment have denied consent for OAuth applications requesting permissions. It utilizes Office 365 audit logs to track events associated with user consent, specifically focusing on denied requests. The detection is meaningful as it can indicate user awareness of potentially suspicious or unfamiliar applications trying to gain access to their data. When users deny access, it may signal attempts by malicious applications to breach security, highlighting proactive user behavior in preventing unauthorized access. The analysis involves tracking the 'status.errorCode' that signifies a rejection of consent (error code 65004). The rule is implemented with Splunk's Office 365 Add-on to effectively monitor and analyze these consent actions.
Categories
- Cloud
- Identity Management
- Application
Data Sources
- Cloud Service
ATT&CK Techniques
- T1528
Created: 2024-11-14