Azure Owner Removed From Application or Service Principal

Aug 12, 2024 · attack.defense-evasion ·

Identifies when a owner is was removed from a application or service principal in Azure.

Sigma rule (View on GitHub)

 1title: Azure Owner Removed From Application or Service Principal
 2id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
 3status: test
 4description: Identifies when a owner is was removed from a application or service principal in Azure.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
 7author: Austin Songer @austinsonger
 8date: 2021-09-03
 9modified: 2022-10-09
10tags:
11    - attack.defense-evasion
12logsource:
13    product: azure
14    service: activitylogs
15detection:
16    selection:
17        properties.message:
18            - Remove owner from service principal
19            - Remove owner from application
20    condition: selection
21falsepositives:
22    - Owner being removed may be performed by a system administrator.
23    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
24    - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
25level: medium

References

Microsoft Entra audit log activity reference - Microsoft Entra ID

Get an overview of the audit activities that can be logged in your audit logs in Microsoft Entra ID.

Read More

Azure Owner Removed From Application or Service Principal

Sigma rule (View on GitHub)

References

Microsoft Entra audit log activity reference - Microsoft Entra ID

Related rules