Azure Application Deleted

Identifies when a application is deleted in Azure.

Sigma rule (View on GitHub)

 1title: Azure Application Deleted
 2id: 410d2a41-1e6d-452f-85e5-abdd8257a823
 3status: test
 4description: Identifies when a application is deleted in Azure.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
 7author: Austin Songer @austinsonger
 8date: 2021/09/03
 9modified: 2022/10/09
10tags:
11    - attack.defense_evasion
12    - attack.impact
13    - attack.t1489
14logsource:
15    product: azure
16    service: activitylogs
17detection:
18    selection:
19        properties.message:
20            - Delete application
21            - Hard Delete application
22    condition: selection
23falsepositives:
24    - Application being deleted may be performed by a system administrator.
25    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
26    - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
27level: medium

References

Related rules

to-top