From 511c108ba156e256fb33ce4f7164bbff779d1a13 Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Fri, 6 Dec 2024 17:27:38 -0500
Subject: [PATCH] [Tuning] SDH - Possible Consent Grant Attack via
 Azure-Registered Application (#4283)

* [Tuning] Possible Consent Grant Attack via Azure-Registered Application

SDH related rule tuning for o365.audit dataset

* removing renamed field from query
---
 ...nsent_grant_attack_via_azure_registered_application.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
index 8766f39fc..da1197ef7 100644
--- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
+++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -87,8 +87,8 @@ query = '''
 event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and
   (
     azure.activitylogs.operation_name:"Consent to application" or
-    azure.auditlogs.operation_name:"Consent to application" or
-    o365.audit.Operation:"Consent to application."
+    azure.auditlogs.operation_name:"Consent to application" or 
+    event.action:"Consent to application."
   ) and
   event.outcome:(Success or success)
 '''