Added Credentials to Existing Application

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Sigma rule (View on GitHub)

 1title: Added Credentials to Existing Application
 2id: cbb67ecc-fb70-4467-9350-c910bdf7c628
 3status: test
 4description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
 7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 8date: 2022-05-26
 9tags:
10    - attack.t1098.001
11    - attack.persistence
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message:
18            - Update Application-Certificates and secrets management
19            - Update Service principal/Update Application
20    condition: selection
21falsepositives:
22    - When credentials are added/removed as part of the normal working hours/workflows
23level: high

References

Related rules

to-top