User Added as Owner for Azure Application

 1[metadata]
 2creation_date = "2020/08/20"
 3integration = ["azure"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner
13for an Azure application in order to grant additional permissions and modify the application's configuration using
14another account.
15"""
16from = "now-25m"
17index = ["filebeat-*", "logs-azure*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "User Added as Owner for Azure Application"
21note = """## Setup
22
23The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24risk_score = 21
25rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86"
26severity = "low"
27tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success)
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1098"
40name = "Account Manipulation"
41reference = "https://attack.mitre.org/techniques/T1098/"
42
43
44[rule.threat.tactic]
45id = "TA0003"
46name = "Persistence"
47reference = "https://attack.mitre.org/tactics/TA0003/"