User Added as Owner for Azure Service Principal

Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/20"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what
11the application can do in the specific tenant, who can access the application, and what resources the app can access. A
12service principal object is created when an application is given permission to access resources in a tenant. An
13adversary may add a user account as an owner for a service principal and use that account in order to define what an
14application can do in the Azure AD tenant.
15"""
16from = "now-25m"
17index = ["filebeat-*", "logs-azure*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "User Added as Owner for Azure Service Principal"
21note = """## Setup
22
23The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25    "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals",
26]
27risk_score = 21
28rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f"
29severity = "low"
30tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success)
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1098"
43name = "Account Manipulation"
44reference = "https://attack.mitre.org/techniques/T1098/"
45
46
47[rule.threat.tactic]
48id = "TA0003"
49name = "Persistence"
50reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top