Azure Owner Removed From Application or Service Principal
Identifies when a owner is was removed from a application or service principal in Azure.
Sigma rule (View on GitHub)
1title: Azure Owner Removed From Application or Service Principal
2id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
3status: test
4description: Identifies when a owner is was removed from a application or service principal in Azure.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
7author: Austin Songer @austinsonger
8date: 2021/09/03
9modified: 2022/10/09
10tags:
11 - attack.defense_evasion
12logsource:
13 product: azure
14 service: activitylogs
15detection:
16 selection:
17 properties.message:
18 - Remove owner from service principal
19 - Remove owner from application
20 condition: selection
21falsepositives:
22 - Owner being removed may be performed by a system administrator.
23 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
24 - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
25level: medium
References
Related rules
- AWS CloudTrail Important Change
- AWS GuardDuty Important Change
- AWS SecurityHub Findings Evasion
- Azure Active Directory Hybrid Health AD FS New Server
- Azure Active Directory Hybrid Health AD FS Service Delete