Azure Application Credential Modified

 1title: Azure Application Credential Modified
 2id: cdeef967-f9a1-4375-90ee-6978c5f23974
 3status: test
 4description: Identifies when a application credential is modified.
 5references:
 6    - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
 7author: Austin Songer @austinsonger
 8date: 2021-09-02
 9modified: 2022-10-09
10tags:
11    - attack.impact
12logsource:
13    product: azure
14    service: activitylogs
15detection:
16    selection:
17        properties.message: 'Update application - Certificates and secrets management'
18    condition: selection
19falsepositives:
20    - Application credential added may be performed by a system administrator.
21    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
22    - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
23level: medium

References

• Sign-in logs and auditing of Managed Identities and Service Principals

  

  Recently, Microsoft added new categories for sign-in logs which finally included non-interactive, managed or service principals in Azure AD. In this blog post I will describe the configuration steps to forward the new collections to Azure Sentinel, some considerations from my first tests and a few examples of correlation to activity logs and potentially Azure Sentinel analytic rules.

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AWS EC2 Disable EBS Encryption
• AWS EFS Fileshare Modified or Deleted
• AWS EFS Fileshare Mount Modified or Deleted