App Granted Microsoft Permissions

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Sigma rule (View on GitHub)

 1title: App Granted Microsoft Permissions
 2id: c1d147ae-a951-48e5-8b41-dcd0170c7213
 3status: test
 4description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022-07-10
 9tags:
10    - attack.credential-access
11    - attack.t1528
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message:
18            - Add delegated permission grant
19            - Add app role assignment to service principal
20    condition: selection
21falsepositives:
22    - When the permission is legitimately needed for the app
23level: high

References

Related rules

to-top