User Added as Owner for Azure Service Principal

 1[metadata]
 2creation_date = "2020/08/20"
 3integration = ["azure"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what
13the application can do in the specific tenant, who can access the application, and what resources the app can access. A
14service principal object is created when an application is given permission to access resources in a tenant. An
15adversary may add a user account as an owner for a service principal and use that account in order to define what an
16application can do in the Azure AD tenant.
17"""
18from = "now-25m"
19index = ["filebeat-*", "logs-azure*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "User Added as Owner for Azure Service Principal"
23note = """## Setup
24
25The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = [
27    "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals",
28]
29risk_score = 21
30rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f"
31severity = "low"
32tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success)
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1098"
45name = "Account Manipulation"
46reference = "https://attack.mitre.org/techniques/T1098/"
47
48
49[rule.threat.tactic]
50id = "TA0003"
51name = "Persistence"
52reference = "https://attack.mitre.org/tactics/TA0003/"