Azure Owner Removed From Application or Service Principal

Identifies when a owner is was removed from a application or service principal in Azure.

Sigma rule (View on GitHub)

 1title: Azure Owner Removed From Application or Service Principal
 2id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
 3status: test
 4description: Identifies when a owner is was removed from a application or service principal in Azure.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
 7author: Austin Songer @austinsonger
 8date: 2021/09/03
 9modified: 2022/10/09
10tags:
11    - attack.defense_evasion
12logsource:
13    product: azure
14    service: activitylogs
15detection:
16    selection:
17        properties.message:
18            - Remove owner from service principal
19            - Remove owner from application
20    condition: selection
21falsepositives:
22    - Owner being removed may be performed by a system administrator.
23    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
24    - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
25level: medium

References

Related rules

to-top