Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Sigma rule (View on GitHub)
1title: Added Credentials to Existing Application
2id: cbb67ecc-fb70-4467-9350-c910bdf7c628
3status: test
4description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
8date: 2022-05-26
9modified: 2025-07-18
10tags:
11 - attack.privilege-escalation
12 - attack.t1098.001
13 - attack.persistence
14logsource:
15 product: azure
16 service: auditlogs
17detection:
18 selection:
19 properties.message:
20 - Update application – Certificates and secrets management
21 - Update Service principal/Update Application
22 condition: selection
23falsepositives:
24 - When credentials are added/removed as part of the normal working hours/workflows
25level: high
References
Related rules
- Github Outside Collaborator Detected
- Okta Identity Provider Created
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain