Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
Sigma rule (View on GitHub)
1title: Added Owner To Application
2id: 74298991-9fc4-460e-a92e-511aa60baec1
3status: test
4description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
8date: 2022-06-02
9tags:
10 - attack.t1552
11 - attack.credential-access
12logsource:
13 product: azure
14 service: auditlogs
15detection:
16 selection:
17 properties.message: Add owner to application
18 condition: selection
19falsepositives:
20 - When a new application owner is added by an administrator
21level: medium
References
Related rules
- Application AppID Uri Configuration Changes
- Azure Key Vault Modified or Deleted
- Azure Keyvault Key Modified or Deleted
- Azure Keyvault Secrets Modified or Deleted
- Azure Kubernetes Admission Controller