User Added as Owner for Azure Application
Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/20"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner
11for an Azure application in order to grant additional permissions and modify the application's configuration using
12another account.
13"""
14from = "now-25m"
15index = ["filebeat-*", "logs-azure*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "User Added as Owner for Azure Application"
19note = """## Triage and analysis
20
21> **Disclaimer**:
22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
23
24### Investigating User Added as Owner for Azure Application
25
26Azure applications often require specific permissions for functionality, managed by assigning user roles. An adversary might exploit this by adding themselves or a compromised account as an owner, gaining elevated privileges to alter configurations or access sensitive data. The detection rule monitors audit logs for successful operations where a user is added as an application owner, flagging potential unauthorized privilege escalations.
27
28### Possible investigation steps
29
30- Review the Azure audit logs to confirm the operation by filtering for event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" with a successful outcome.
31- Identify the user account that was added as an owner and the account that performed the operation to determine if they are legitimate or potentially compromised.
32- Check the history of activities associated with both the added owner and the account that performed the operation to identify any suspicious behavior or patterns.
33- Verify the application's current configuration and permissions to assess any changes made after the new owner was added.
34- Contact the legitimate owner or administrator of the Azure application to confirm whether the addition of the new owner was authorized.
35- Investigate any recent changes in the organization's user access policies or roles that might explain the addition of a new owner.
36
37### False positive analysis
38
39- Routine administrative actions: Regular maintenance or updates by IT staff may involve adding users as application owners. To manage this, create a list of authorized personnel and exclude their actions from triggering alerts.
40- Automated processes: Some applications may have automated scripts or services that add users as owners for operational purposes. Identify these processes and configure exceptions for their activities.
41- Organizational changes: During mergers or restructuring, there may be legitimate reasons for adding multiple users as application owners. Temporarily adjust the rule to accommodate these changes and review the audit logs manually.
42- Testing and development: In development environments, users may be added as owners for testing purposes. Exclude these environments from the rule or set up a separate monitoring policy with adjusted thresholds.
43
44### Response and remediation
45
46- Immediately revoke the added user's owner permissions from the Azure application to prevent further unauthorized access or configuration changes.
47- Conduct a thorough review of recent activity logs for the affected application to identify any unauthorized changes or data access that may have occurred since the user was added as an owner.
48- Reset credentials and enforce multi-factor authentication for the compromised or suspicious account to prevent further misuse.
49- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation if further investigation reveals broader compromise.
50- Implement additional monitoring on the affected application and related accounts to detect any further unauthorized access attempts or privilege escalations.
51- Review and update access control policies to ensure that only authorized personnel can modify application ownership, and consider implementing stricter approval processes for such changes.
52- Document the incident, including actions taken and lessons learned, to improve response strategies and prevent recurrence.
53
54## Setup
55
56The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
57risk_score = 21
58rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86"
59severity = "low"
60tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"]
61timestamp_override = "event.ingested"
62type = "query"
63
64query = '''
65event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success)
66'''
67
68
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1098"
73name = "Account Manipulation"
74reference = "https://attack.mitre.org/techniques/T1098/"
75
76
77[rule.threat.tactic]
78id = "TA0003"
79name = "Persistence"
80reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating User Added as Owner for Azure Application
Azure applications often require specific permissions for functionality, managed by assigning user roles. An adversary might exploit this by adding themselves or a compromised account as an owner, gaining elevated privileges to alter configurations or access sensitive data. The detection rule monitors audit logs for successful operations where a user is added as an application owner, flagging potential unauthorized privilege escalations.
Possible investigation steps
- Review the Azure audit logs to confirm the operation by filtering for event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" with a successful outcome.
- Identify the user account that was added as an owner and the account that performed the operation to determine if they are legitimate or potentially compromised.
- Check the history of activities associated with both the added owner and the account that performed the operation to identify any suspicious behavior or patterns.
- Verify the application's current configuration and permissions to assess any changes made after the new owner was added.
- Contact the legitimate owner or administrator of the Azure application to confirm whether the addition of the new owner was authorized.
- Investigate any recent changes in the organization's user access policies or roles that might explain the addition of a new owner.
False positive analysis
- Routine administrative actions: Regular maintenance or updates by IT staff may involve adding users as application owners. To manage this, create a list of authorized personnel and exclude their actions from triggering alerts.
- Automated processes: Some applications may have automated scripts or services that add users as owners for operational purposes. Identify these processes and configure exceptions for their activities.
- Organizational changes: During mergers or restructuring, there may be legitimate reasons for adding multiple users as application owners. Temporarily adjust the rule to accommodate these changes and review the audit logs manually.
- Testing and development: In development environments, users may be added as owners for testing purposes. Exclude these environments from the rule or set up a separate monitoring policy with adjusted thresholds.
Response and remediation
- Immediately revoke the added user's owner permissions from the Azure application to prevent further unauthorized access or configuration changes.
- Conduct a thorough review of recent activity logs for the affected application to identify any unauthorized changes or data access that may have occurred since the user was added as an owner.
- Reset credentials and enforce multi-factor authentication for the compromised or suspicious account to prevent further misuse.
- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation if further investigation reveals broader compromise.
- Implement additional monitoring on the affected application and related accounts to detect any further unauthorized access attempts or privilege escalations.
- Review and update access control policies to ensure that only authorized personnel can modify application ownership, and consider implementing stricter approval processes for such changes.
- Document the incident, including actions taken and lessons learned, to improve response strategies and prevent recurrence.
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Related rules
- Azure Automation Runbook Created or Modified
- Azure Automation Webhook Created
- Azure Conditional Access Policy Modified
- User Added as Owner for Azure Service Principal
- Azure AD Global Administrator Role Assigned