adding new detection

detections/cloud/o365_user_consent_blocked_for_risky_application.yml

@@ -0,0 +1,53 @@
+name: O365 User Consent Blocked for Risky Application
+id: 242e4d30-cb59-4051-b0cf-58895e218f40
+version: 1
+date: '2023-10-11'
+author: Mauricio Velazco, Splunk
+status: production
+type: TTP
+data_source:
+- UPDATE_DATA_SOURCE
+description: UPDATE_DESCRIPTION
+search: >
+  `o365_management_activity` Operation="Consent to application." ResultStatus=Failure
+  | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4)
+  | eval reason =mvindex('ModifiedProperties{}.NewValue', 5)
+  |  search reason = "Risky application detected"
+  | rex field=permissions "Scope: (?<Scope>[^,]+)"
+  |  stats max(_time) as lastTime by Operation, user, reason, object, Scope
+  | `security_content_ctime(lastTime)`
+  | `o365_user_consent_blocked_for_risky_application_filter`
+how_to_implement: UPDATE_HOW_TO_IMPLEMENT
+known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+references:
+- REFERENCE
+tags:
+  analytic_story:
+  - UPDATE_STORY_NAME
+  asset_type: O365 tenant
+  atomic_guid:
+  - UPDATE atomic_guid
+  confidence: 100
+  impact: 30
+  message: UPDATE message
+  mitre_attack_id:
+  - T1528
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 30
+  required_fields:
+  - UPDATE_required_fields
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log
+    source: o365
+    sourcetype: o365:management:activity