Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Sigma rule (View on GitHub)
1title: Added Credentials to Existing Application
2id: cbb67ecc-fb70-4467-9350-c910bdf7c628
3status: test
4description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
8date: 2022-05-26
9tags:
10 - attack.t1098.001
11 - attack.persistence
12logsource:
13 product: azure
14 service: auditlogs
15detection:
16 selection:
17 properties.message:
18 - Update Application-Certificates and secrets management
19 - Update Service principal/Update Application
20 condition: selection
21falsepositives:
22 - When credentials are added/removed as part of the normal working hours/workflows
23level: high
References
Related rules
- Github Outside Collaborator Detected
- Okta Identity Provider Created
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain