User Added as Owner for Azure Application

 1[metadata]
 2creation_date = "2020/08/20"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner
11for an Azure application in order to grant additional permissions and modify the application's configuration using
12another account.
13"""
14from = "now-25m"
15index = ["filebeat-*", "logs-azure*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "User Added as Owner for Azure Application"
19note = """## Setup
20
21The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
22risk_score = 21
23rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86"
24severity = "low"
25tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
26timestamp_override = "event.ingested"
27type = "query"
28
29query = '''
30event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success)
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1098"
38name = "Account Manipulation"
39reference = "https://attack.mitre.org/techniques/T1098/"
40
41
42[rule.threat.tactic]
43id = "TA0003"
44name = "Persistence"
45reference = "https://attack.mitre.org/tactics/TA0003/"