App Granted Microsoft Permissions

Aug 12, 2024 · attack.credential-access attack.t1528 ·

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Sigma rule (View on GitHub)

 1title: App Granted Microsoft Permissions
 2id: c1d147ae-a951-48e5-8b41-dcd0170c7213
 3status: test
 4description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022-07-10
 9tags:
10    - attack.credential-access
11    - attack.t1528
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message:
18            - Add delegated permission grant
19            - Add app role assignment to service principal
20    condition: selection
21falsepositives:
22    - When the permission is legitimately needed for the app
23level: high

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

App Granted Microsoft Permissions

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules