Potential Illicit Consent Grant attack via Azure registered application
Set up the azure integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.
Strategy
Monitor Azure AD Audit logs for the following @evt.name:
Monitor Microsoft 365 Audit logs for the following @evt.name:
Because these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.
Triage and response
- See the official Microsoft playbook on responding to a potential Illicit Consent Grant.
- If the activity is benign:
- Use the linked blog post in the suggested actions panel to tune out false positives.
